Why does Chrome show 304 in Response Headers section but 200 in Status code?

Might be a silly question, but I haven’t found any clear answer yet. Why does Chrome show 304 in Response Headers section but 200 in Status code? Why doesn’t it show 304 in Status code (BTW, that is NOT 200 memory cache.)?

If it shows 200 I can’t know it is actually 304 without looking into request detail.

enter image description here

Compared to Firefox (the same request), 304 in status code.

enter image description here

Secure HTTP Headers – where should be implemented, WAF or code level?

I have an REST API exposed to the Internet and another application with form-based authentication.

These apps are behind Web Application Firewall.

Question is, where I should implement below Secure HTTP Headers, on WAF or Code level?

X-XSS-Protection X-Frame-Options X-Content-Type-Options X-Permitted-Cross-Domain-Policies HTTP Strict Transport Security HTTP Public Key Pinning Content Security Policy Referrer Policy Feature-Policy

HTTP security headers – do they have an effect on SEO and affiliate links?


my site was recently moved to WPX hosting and the programmer fixed some site speed issued, plus he added HTTP security headers to the .htaccess file.

The rating for my site is now A+ on https://securityheaders.com/

However, I checked 20+ websites (from small to super large) and every single has an F rating (or at best a D) – even super big, multi-billion dollar websites.

Why is that so? Fixing HTTP headers seems to be easy. Why nobody does it?

Also, I wonder if this has…

HTTP security headers – do they have an effect on SEO and affiliate links?

Ghidra Load Linux Headers [on hold]

I’m trying to reverse engineer a linux kernel module (kernel version 4.19). Ghidra does recognize correctly all function names such as: open, misc_register etc, but it cannot determinate their exact signatures.

Let’s take as an example function copy_from_user with signature:

unsigned long copy_from_user (void *to, const void __user *from, unsigned long n); 

and here’s how Ghidra sees it:

undefined _copy_from_user (void) 

I believe that it won’t be the last kernel module for me to reverse engineer and so I would like to learn how to load all missing kernel structures to the program.

Moreover I am aware that I can edit the function signature by hand, but I would then need to add plenty of structures by hand as well (such as struct file) and this would be very ineffective.

What I’ve tried so far

(I’m super new to Ghidra and if you know better way, please just share)

I’ve downloaded headers from debian repository:

$   wget linux-headers-4.19.0-6-common_4.19.67-2+deb10u2_all.deb . $   ls linux-headers-4.19.0-6-common_4.19.67-2+deb10u2_all.deb  usr $   ls /usr/src/ linux-headers-4.19.0-6-common 

I extracted and then tried to load them using File>>Parse C Source option by specifying the path to the extracted folder..

enter image description here

and got an error. What can I do to make Ghidra aware of the correct function signatures?

Update: As MechMK1 has pointed out I have provided a directory instead of header files. I’ve corrected my mistake and this time I’ve just copied the whole content of all files into all_headers.h

$   cat `find . | grep .h` > all_headers.h $   cat all_headers.h | wc -c 29824650 

And I’ve provided all_headers.h to get parsed. This time there was no error, but Ghidra has only added around 20 defines and no function signatures.

enter image description here

enter image description here

What headers used in request by google bot?

What headers used in request by google bot? Must be user agent, but what else? I’m interested in cache control headers, does bot try to get fresh page, but not from cache?

The related question: Do browsers send different HTTP headers on page reload so that server side caches can be flushed?

I’m using server cache, what have option to refresh on Ctrl+F5, but don’t want bot to refresh page. Code what detect Ctrl+F5 below:

function cacheHitDisplay($  params)   if ($  _SERVER['HTTP_CACHE_CONTROL'] == 'no-cache') {     // process/refresh page. ctrl-f5 pressed     return 0;   }   getFromCache($  params);   exit 0 } cacheHitDisplay(); // will show cached page and exit script ...here normal page processing, saving page to cache at end... 

Is there any need to test if security headers are present in response from API in javascript code?

I have found in one of the client side libraries that it is checking if response contains all of the following headers with corresponding values (as a security measure):

'content-type', 'application/json' 'content-type', 'charset=utf-8' 'X-Content-Type-Options', 'nosniff' 'content-disposition', 'attachment' 'X-Frame-Options', 'DENY' 

I cannot see a reason for how it can help with security by validating those by client side library.

Anyone has an idea if this is reasonable or does not make any sense?

P.S. This is not a question of whether these headers should be set by the server.

P.P.S. I have found this out since for some reason even if the header is present I can see in logs that sometimes this exception is thrown. I don’t really know why, but I suppose either proxies removing headers or some browsers removing/not returning it in js for some reason. I’d be glad to hear why if someone knows reason.

“NSPR headers not found” error while building evolution using cmake

I am installing Evolution from source using cmake by following command:

cmake -G "Unix Makefiles" -DCMAKE_BUILD_TYPE=Release -DWITH_OPENLDAP=OFF .. 

But it result in following error message:

-- Looking for include files nspr.h, prio.h -- Looking for include files nspr.h, prio.h - not found CMake Error at cmake/modules/FindSMIME.cmake:80 (message):   NSPR headers not found.  Use -DWITH_NSPR_INCLUDES=/path/to/nspr to specify the include dir of NSPR. 

Any one could help me to solve this problem?

NOTE: -DWITH_OPENLDAP=OFF is because cmake gives me an error if I do not use this phrase.

preflight returns 401 response even though headers correct

I am trying to access a sharepoint server REST api to upload some files. Access is via our tomcat application

Although I believe I setup correctly the headers in IIS the request does not pass the preflight.

Here are the request headers:

Request OPTIONS /_api/contextinfo HTTP/1.1 Accept  */* Origin  http://localhost:8080 Access-Control-Request-Method   POST Access-Control-Request-Headers  content-type, accept Accept-Encoding gzip, deflate User-Agent  Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; MAAU; rv:11.0) like Gecko Host    temp-sharepoint Content-Length  0 Connection  Keep-Alive Cache-Control   no-cache 

and the response headers:

Response    HTTP/1.1 401 Unauthorized Content-Type    text/plain; charset=utf-8 Server  Microsoft-IIS/7.5 SPRequestGuid   8d690d9d-d06e-101d-6038-8056a7fce7c2 request-id  8d690d9d-d06e-101d-6038-8056a7fce7c2 X-FRAME-OPTIONS SAMEORIGIN SPRequestDuration   5 SPIisLatency    1 WWW-Authenticate    Negotiate WWW-Authenticate    NTLM X-Powered-By    ASP.NET MicrosoftSharePointTeamServices X-Content-Type-Options  nosniff X-MS-InvokeApp  1; RequireReadOnly Access-Control-Allow-Origin * Access-Control-Allow-Credentials    true Access-Control-Allow-Methods    GET,PUT,POST,DELETE,OPTIONS Access-Control-Allow-Headers    accept,content-type Date    Fri, 05 Jun 2015 15:52:01 GMT Content-Length  16 

My code to request

var url = sharepointURL + "/_api/contextinfo"; jQuery.ajax({      url: url,      type: "POST",      headers:       {         "Accept": "application/json; odata=verbose"      },      xhrFields: {             withCredentials: true     },     crossDomain: true,      contentType: "application/json;odata=verbose", 

Why is not passing the preflight? have I misconfigured the headers?

What’s the reason of both “Allow-Origin: *” and “Allow-Credentials: true” headers?

MDN says that attempting to use Access-control-allow-origin: * with credentials should result in an error.

Taking this into account, why so many major companies’ APIs (spotify, twilio, among many others) return both Access-control-allow-origin: * and Access-control-allow-credentials: true response headers?

Sending multiple Content-Length headers in a HTTP POST request using Javascript

I’m playing around with a self-xss bug that I believe I can escalate with a CSRF attack. However, the exploit relies on sending two identical Content-Length headers in a single POST request.

Essentially, I’m looking for a piece of Javascript code that will make the visitor’s browser issue a request that looks like this:

POST /authenticate[xss payload] Host: target.net Content-Length: 4 Content-Length: 4  whatever=whatever 

It doesn’t matter if the Content-Length is correct or not – there just has to be two identical Content-Length headers.

Sorry if the answer to this is trivial, I hope you can cut an infosec n00b some slack.