Secure HTTP Headers – where should be implemented, WAF or code level?

I have an REST API exposed to the Internet and another application with form-based authentication.

These apps are behind Web Application Firewall.

Question is, where I should implement below Secure HTTP Headers, on WAF or Code level?

X-XSS-Protection X-Frame-Options X-Content-Type-Options X-Permitted-Cross-Domain-Policies HTTP Strict Transport Security HTTP Public Key Pinning Content Security Policy Referrer Policy Feature-Policy

What’s wrong with my line segment plane intersection code?

I’m following the algorithm on on this website for my line segment intersection test code. But when looking at my line segment and plane intersect it doesn’t produce the correct point of intersection.

Here is an example of what I’m talking about. intersection test failure

Here is my code for the test

public static bool SegmentPlane(Vector3 p1, Vector3 p2, float distance, Vector3 normal, out float time, out Vector3 point) {     time = 1f;     point = Vector3.zero;       time = (Vector3.Dot(normal, normal * distance) - Vector3.Dot(normal, p1)) / Vector3.Dot(normal, (p2 - p1).normalized);     if(time >= 0f && time <= 1f)     {         point = p1 + time * (p2 - p1).normalized;         return true;     }     return false; } 

Display Code

public void OnDrawGizmos() {     plane = new Plane(transform.forward, transform.position);      colliding = CollisionLibrary.SegmentPlane(p1.position,p2.position,Vector3.Distance(Vector3.zero,transform.position),transform.up,out time,out point);      if (!colliding)         Gizmos.color = Color.yellow;     else         Gizmos.color = Color.red;      Gizmos.DrawLine(p1.position, p2.position);     Gizmos.DrawSphere(point, .1f);      Gizmos.color = Color.white;     Gizmos.DrawLine(transform.position, transform.position+transform.up * 100);    } 

How detectable is malicious code run by programs that download and then install the main file?

There are many programs (free or otherwise) where the user is asked to download a small installer file, which may display the EULA to the user or do some other user registration, which then downloads the latest version of the main program (much larger, and often consists of many files) to install the software.

There are many instances where this is legitimate, and it seems to be popular with mainstream software packages like ADOBE or Microsoft products, and it makes sense to use this approach to handle the installation of software, but if I download a 15MB installer program for some audio processing program and scan it on VirusTotal and it says nothing is detected, but then when I run it the program says it needs to download 150MB, it completely avoids the detection, doesn’t it?

The downloaded software may even be different each time, and likely will be because of version changes and updates.

So I should then scan the newly downloaded files before running them, shouldn’t I?

Is it common for programs to be set up so that they download a malicious file from a server and then run it within its own program? And does that get detected as malicious?

Could you store your passwords in a phone app governed by a QR code?

I had an idea a little while back to have an ID card with a QR code on it that you kept in your wallet. When you want to access your passwords (view them directly), you need your ID card and to scan it with your password protected iPhone. This then reveals your desired passwords.

But I’m thinking about it more and it doesn’t seem to offer any extra “security” or protection of your passwords. You have your phone password memorized, so that’s secure. Once you get into your phone and open the customized QR reading password app, you could just have direct access to your passwords right there instead of having the QR code layer. But, say we add the QR code step, of scanning the QR code to get access. Maybe it only works on your phone. So you have your phone password and a QR code protecting your password.

Does something like this offer any extra security? I’m thinking along the lines of n-factor auth and having an actual physical ID card in the mix.

How come RFC7636 (PKCE) stops malicous app doing the same code challenge and get legitimate access to API

As per the RFC7636 it stops malicious apps which pretend to be legitimate apps, gaining access to OAuth2.0 protected API’s.

The flow suggests a method of having a runtime level secret which generated from the client and letting the Auth server knows it. This allows token issuer to verify the secret with auth server and grant a proper access token.

However lets assume a malicous app, as the RFC paper suggests, with a correct client_id and client_secret, it can do the same PKCE process and gain access to protected resources.

Is this RFC doesn’t meant to protect those kind of attacks or simply I’m missing something here?

Generate code from automata

I am trying to figure out the process of generating code (set of instructions, implementation language specifics dont matter at this time) from an automata.

The description of my intent is vague because although I am an electrical engineer, with extensive coding experience, I have no theoretical CS background and I am struggling to even articulate what I mean. The issue at hand is related to a digital circuit that I am working with. At this point I am not even aware of what I need to start looking into. Another way of describing my intent is, say I got a transition model of a process with the data requirements that are associated with the states. Knowing that, can I generate a program that will implement that model? Is there a field of study that deals with problems like this? Or should I just develop some logic to solve a limited interpretation of the model?

I believe I am using incorrect or misleading terms from a CS standpoint but I will appreciate if I can get some guidance on how to formulate my intent and then try to understand the possible solutions, if any.

Thanks!

Pseudo code of recursive method of printing all permutations of $n$ given integers

I really don’t understand this pseudo code. The function prints all permutations of $ n$ given integers, assuming that all numbers are different.

Is there a way to explain this code more easily as I really don’t get the purpose of the swapping.

PERMUTATE(A, start, end)    if start == end return A    else       PERMUTATE(A,start+1,end)       for i = start+1 to end          SWAP(A[i],A[start])          PERMUTATE(A,start+1,end)          SWAP(A[start],A[i])