Concerns about a typical JWT setup

From my understanding, the current standard when using JWTs for user sessions is to have a short-lived (expires after maybe 15 minutes) access token and a long-lived refresh token (expires after 24+ hours) which can be used to obtain more access tokens.

There seems to be a handful of reasons for this, the main ones being:

  • To decrease server load regarding authentication and session management.
  • To prevent an attacker from having long term access if they somehow obtain an access token.
  • To prevent new access tokens by revoking refresh tokens.

My concerns are:

  • Why do people think 15 minutes is short enough to prevent an attacker from doing whatever they want? A lot of damage can be done in 15 minutes.
  • If an attacker can obtain an access token, then they can most likely obtain a refresh token as well. This would allow them to obtain any as many access tokens as they need (until someone figures out that the refresh token has been compromised).

Am I missing something here? Or are JWTs not really meant for security? Are they really only meant to decrease server load?

What security concerns are there regarding website users inputting personal financial data without putting in personally identifying data?

I am a web developer, but I have only a rudimentary grasp of security, e.g., be careful to sanitize inputs, store as little user data as possible, encrypt passwords, keep up with security issues of libraries and packages, etc.

Today, I was approached by a client who does financial planning about replacing a spreadsheet he gives clients with a web-based form. The spreadsheet asks users to input certain financial data – e.g., current value of various investment accounts, business interests, etc. These numbers are put into a formula and a value is generated which is supposed to help the user decide whether the consulting could be useful to them.

The phone call was very short, and my questions focused on more mundane matters about user experience, desired UI elements, etc. No commitments have been made, and I’m analyzing the project to see if it’s something I can do. I began to think about potential security issues, and I realized I really don’t know where to start. So far it seems that client wants the form to be accessed via a magic link, and that the user would not enter any personally identifying information. I do not know yet whether my potential client wants to store the value generated, a simple dollar amount which is the ‘benefit’ the user could get by using the service. The impression I got is that my potential client simply wants to use this value as a motivator for clients to inquire further about his services.

My question is this: In this scenario, what security-related matters should I consider?

Thank you.

Does a true-polymorphed True dragon becoming a Shadow dragon evade ‘dispel’ concerns?

A kobold is True Polymorphed (‘permanently’) into a dragon’s egg (CR 0) and eventually grows up to be an ancient Green dragon. Upon rediscovering / remembering she was a kobold she fears Dispel Magic that would break her Truly Polymorphed form. She seeks to avoid regression to her previous kobold existence.

To secure her draconic shape she abides in the Shadow Realms and gains (True) Shadow dragon form. She now believes, correctly or not, that she safer from various Dispels or Anti-magic zones.

This is, to me (and hopefully my players), a very fun BBEG campaign idea – but there are questions.

Plethora Concerns: – (if possible, i request Stack Exchange answer these generally):

  • Is a True dragon’s egg ‘Challenge Rating 0’ (CR0) – or is this abuse of the True Polymorph spell?

  • Where are these Shadow Realms found (mentioned in the Monster Manual)?

  • Would the dragon be born A Priori with knowledge of her previous kobold life? If so, in a Zone of Truth would she still identify as a [two decade] kobold – or that of a [born & raised / 801+ year old] dragon?

  • Would various TrueSight magics see through her Green dragon form? Would she be a kobold only as long as she was within an Anti-Magic effect or area… and then snap back?

  • if this dragon is dispelled to her former humanoid shape, is she now kobold dust that is more than eight centuries old? If so, this really ups the stake for her interest for that True Shadow dragon change.

  • if she sets some of her flesh aside (such as a finger) whilst in ‘Green’ format (i.e. before attaining shadow format), can she use that flesh for a Clone – thus regain her ‘healthy’ Green-shape dragon body even whilst in this ‘cursed’ Shadow state? If so, what ‘age’ is this new Green body? Is this new Clone now safe from dispel-style magics?

Base / Main Question:

  • Is this Shadow dragon (formerly Green dragon / formerly a kobold) safe from having her form removed by a simple ‘dispel’? Once transformed by this magical darkness, is she effectively a ‘normal’ Shadow dragon forever?

Note that these questions are all True Polymorph related and i hope that this one write-up will suffice. It would help game consistency if this campaign could stay RAW in-game.

If many of these questions are answered directly or indirectly elsewhere, my apologies in advance.

How can I raise concerns with a new DM about XP splitting?

My wife is new to DMing and D&D as a whole.

We had our first game yesterday and one of my friends raised a concern about how she was awarding XP as she was giving the XP to the person that got the killing blow. He felt, and I agree, that this was unfair to the people playing a support role i.e. our Bard and Druid.

Any suggestions on how I should bring this up without it sounding like a criticism or that I’m trying to take over?

Concerns about Fing scanner

For years I have been using the Fing iOS app to scan my home network to check for unknown devices. The iOS apps is nice and self contained, so I never worried much about its own security.

I recently downloaded the Windows Fing desktop application. Worked great, has a easy interface, and provides better results than other scanners I have tried.

BUT … The desktop app requires one to create a Fing account, and the results of the scan are uploaded to Fing cloud. So basically now my external IP, all my internal IPs, and all my device’s MACs are on the cloud. At first blush this seems like a huge security concern.

Has anyone encountered any security issues with the Fing service?

Job laptop and VPN, security concerns for home network?

I’ve asked if I could continue working from home. They said ok. The laptop belongs to the company with VPN on it. From home I’ll connect the laptop to my personal network/rooter with wifi. When I’ll deliver the laptop I’ll change my personal/home wifi password. Is there any other security concerns for my home network while I am connected to the office VPN? They can see other devices of mine? Should I worry for something? They (the IT administrators) can access my home network?

DIY Server Security Concerns

As the title says, I have some concerns about the security on my home server and I would appreciate if someone make things clear for me.

Here’s the thing; I recently set up a server from an old computer case. I use docker to install and use different services on different ports and I would like to access some services from outside of my house.

I have a domain from namecheap and I set up dynamic dns which successfully sends my public IP to my domain periodically. Here’s the docker.

To reach different services on different ports with subdomains, I set up an nginx reverse proxy server with the help of a docker container. I only forwarded port 80 and port 443 from my router.

Now my setup works like a charm, let’s say I want to reach service1 which is on port 2525, I go to service1.mydomain.com and my nginx server redirects me to localhost:2525 .

Here is where my concerns started; I shut down the server at nights. Even though it is shut down, when I ping service1.mydomain.com, it shows my home’s IP address. It doesn’t lead to anywhere on browser, however it can still be pinged.

  • What problems can occur with this setup?
  • Or does any problem occur at all?
  • Can someone reach into my home network?

[Note that I use a standard router with low level firewall. And although my IP is not static (I didn’t buy), it hasn’t changed in months as I observed.]

Thanks.

What security concerns are there for a fully client-side JS/HTML5 app?

I’m working on an Interactive Fiction story in Undum, which is a fully client-side JS/HTML5 framework. I’ve been reading about Content Security Policy lately (after looking up what a crypto nonce is) and began to wonder if any such thing would be important for code that’s entirely client-side. I’d apply some basic CSP if I could, mainly the ban on inline code exec, but it looks like that can only be specified in an HTTP header which I don’t control in this case (I think — there’s no transfer happening in my game, but github pages hosts the HTML and JS so HTTP is in use and is presumably controlled by github)

This question addresses a similar concern, but is a simpler context since it will be running locally on that OP’s machine. My context will be as follows:

  • Where is the HTML and JS hosted: my github pages account. It’s not actually up there yet, but a different one implemented in Inform 6 and run on a JS Inform interpreter (Quixe) is here and I don’t see an obvious CSP in the HTTP headers
  • Where do dependencies come from: local JS files, jquery and undum library only
  • What operations are involved: clicking generated links within the page, generating/rendering HTML from local JS (no arbitrary text user input), writing to/reading from HTML5 window.localStorage object if available to support game save/load
  • Protocol: HTTPS

What security concerns might be relevant to a kinda sorta web app like this? There’s no sensitive data involved; I’m mostly concerned with any sort of malicious script injection that might be possible.