If a site includes the header ‘HTTP Content-Security-Policy require-sri-for’ then does this include all nested scripts?

If I’m using subresource integrity on a web page and a script that I import then itself imports a further script, will the CSP ‘require-sri-for’ also include those subsequent, nested, imported scripts?

For example, if a .js file is pulled in by the main web page and it includes reference to a further .js file, the top level file’s hash won’t change if the URL of the further .js file doesn’t change but the code at that URL has. So the top level file will pass its SRI check even though that script is then pulling in an unchecked script.

Or does CSP ‘require-sri-for’ checking get inherited by the scripts that are then loaded and so own down the import chain (if there is one)?

Figuring out what is blocking HTTP request on macOS Mojave?

I have a simple http-server running with an index.html, which I’m trying to serve over to another device over LAN. I can access the website in the host computer using localhost and it is recorded as a successful HTTP 200. Although when I try to access it with the other client device, the http server shows no sign of any request and the device times out.

I believe a firewall in my Mac is blocking the connection, but I hear that there are multiple firewalls within a Mac and they may possibly keep changing it with each OS update.

e.g.

  • Mac OS X Server ignores remote HTTP connections, but accepts local ones

  • Firewall may change on OS update

  • Firewall Logs Now Disapeared (can’t view appfirewall.log)

So I’m now using macOS Mojave, and I have very little experience using networking tools to verify what goes on in my network (So please forgive my ignorance).

  • What firewalls does macOS Mojave use?

  • Where can I find the logs (So I can see if my other device’s http-request got denied)?

  • Is there any other thing that I may not know about that can stop my http-request? If so what tools can I use to verify?

DoS attack Apache HTTP and all CPU goes 100%

We are getting a Dos attack on our web server. We enabled Cloudflare and add these rules:

If it is not SSL connection Block all. That fixed pretty much all attacks.

I would like to ask pros about this.

When I used that command :

netstat -npt | grep 80 | awk '{print $  5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d: -f1 | sort | uniq -c | sort -nr | head 

Output:

 108 5.1xx.1x4.2x5  This is my server IP  59 1x8.1x4.1x1.1x1  50 162.1x8.38.196  40 1x2.x5x.93.1x9  38 1x2.1x8.226.94  37 x62.15x.88.248 

After seeing my server IP I really confused.

I block all connections to 80 port except cloudflare’s.

Right now, Some of my products I use, cannot query licenses from other servers due to blocking 80 ports.

I read some blogs it says SYN attack and my server sending response but not getting any response back so It use a lot of CPU.

How can I solve this problem with Iptables. I think attack is not big one so Iptables can handle If i use right rule.

thank you.

HTTP Client Manager $request->getStatusCode() == 200 return?

When I read this HTTP Client Manager docs on Drupal, I don’t understand why it returns the $ build when $ request->getStatusCode() == 200, is that supposed to be not equal 200? I also copy and pastes the code from Drupal docs.

public function posts($  limit, $  sort) {     $  build = [       '#theme' => 'mymodule_posts_list',       '#posts' => [],     ];      $  request = $  this->httpClient->request('GET', 'http://api.example.com/posts', [       'limit' => $  limit,       'sort' => $  sort,     ]);      // This is the Part I don't understand.     if ($  request->getStatusCode() == 200) {       return $  build;     }      $  posts = $  request->getBody()->getContents();     foreach ($  posts as $  post) {       $  build['#posts'][] = [         'id' => $  post['id'],         'title' => $  post['title'],         'text' => $  post['text'],       ];     }     return $  build;   } 

Excessão .htaccess redirecionamento de http para https

Olá, a minha dúvida é a seguinte:

Quero que todo o site seja redirecionado para .https, porém uma única pagina que está rodando um iframe .http não quero que seja redirecionada para https.

Com adicionar essa exceção? Tentei da seguinte forma:

RewriteEngine On      RewriteCond %{HTTPS} on     RewriteCond $  {REQUEST_URI} ^/medidorhtml?$       RewriteRule ^(.*)$   https://meusite.com.br/$  1 [R,L] 

Как отправить json по http протоколу без потери данных

отправляю json в php через CURL

curl_setopt($  ch, CURLOPT_POSTFIELDS, $  post); 

где $ post это json_decode(file_get_contents($ mapping_conf));

$ mapping_conf – это json файл

славливаю ошибку

Catchable fatal error: Object of class stdClass could not be converted to string 

также пробовал использовать json_decode(file_get_contents($ mapping_conf)); с вторым аргументом true(чтобы переводил в массив)

от сервера прилетает ошибка {"error":"Content-Type header [multipart/form-data; boundary=------------------------6958761ae20651ff] is not supported","status":406} Пробовал в $ post кидать строку json обработанную urlencode() и также без нее – с сервера прилетает сообщение {"error":"Content-Type header [application/x-www-form-urlencoded] is not supported","status":406}

преобразовывать json в массив и отправлять массив постом не прокатит, потому как искажаются данные, к примеру {“a”:{}} переделается в [“a”:[]], на что сервер принимающий ругнется, мол мне нужен тип пустой объект, а ты мне кидаешь пустой массив

Вопрос к знатокам – как надо закодировать json текст, чтобы его можно было запихнуть в POST запрос.

Request method “POST” not supported. HTTP 405 – Method Not Allowed

necesito ayuda con un problema que no consigo solucionar.

Una pequeña aplicación montada con Maven, Spring e Hibernate. La idea es una página jsp muestra una serie de filtros para buscar en una BD y mostrar los resultados de la búsqueda. Tenemos una primera estructura simple para probar la conexión con BD pero al hacer la llamada nos devuelve un error:

HTTP 405 – Method Not Allowed Request method ‘POST’ not supported

EL jsp sería este:

<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %> <%@ page language="java" contentType="text/html; charset=ISO-8859-1"     pageEncoding="ISO-8859-1"%> <!DOCTYPE html> <html> <head> <meta charset="ISO-8859-1"> <title>Busqueda</title> <link href="estilo.css" rel="stylesheet" type="text/css"> </head> <body>     <div id="escudo">         <img alt="escudo" src="icono.png">     </div>     <form:form modelAttribute="puesto">         <h3>SELECCIONA LOS FILTROS DE BÚSQUEDA</h3>         <form action="buscar.do" method="post">             <div>                 <select name="puesto" size="1">                      <option value="Opcion 1">Opcion 1</option>                      <option value="Opcion 2">Opcion 2</option>                      <option value="Opcion 3">Opcion 3</option>                      <option value="Opcion 4">Opcion 4</option>                      <option value="Opcion 5">Opcion 5</option>                  </select>                  <br/>                  <br/> <!--            </div> -->  <!--            <div> -->                 <input type="submit" value="Buscar" name="accion">                 <input type="submit" value="Volver" name="accion">             </div>          </form>     </form:form> </body> </html> 

La acción, el buscar.do debería hacer saltar este Controller:

package com.spring.direcciondeportiva.controlador;  import java.util.List;  import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Controller; import org.springframework.ui.Model; import org.springframework.web.bind.annotation.ModelAttribute; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod;  import com.spring.direcciondeportiva.dao.BusquedasDAO; import com.spring.direcciondeportiva.modelo.Jugador;  @Controller @RequestMapping("/buscar.do") public class BuscarController {      @Autowired     BusquedasDAO daos;      @RequestMapping(method=RequestMethod.GET)     public String preparaForm(Model modelo) {         System.out.println("GET BUSCAR");         return "buscar";     }      @RequestMapping(value="/buscar.do", method=RequestMethod.POST)     public String iniciar(@ModelAttribute String puesto, Model modelo) {         System.out.println("Salta el buscar"); //      if(accion.equalsIgnoreCase("Buscar")) {              List<Jugador> jugadoresPosicion = daos.busquedaPorPosicion(puesto);             if(!(jugadoresPosicion.isEmpty()) ){                 modelo.addAttribute("encontrados", jugadoresPosicion);                 return "encontrados";             }else {                 return "noexiste"; //          }  //      }else if(accion.equalsIgnoreCase("Volver")) {  //          return "inicio";  //      }else {  //          return "error";          }     }  } 

He probado cientos de cosas, he mirado de todo pero no consigo hallar con la solución, ¿Alguien podría echarme una mano?

Gracias

Apche http mod_rewrite and HTTPS

I have two domains old.com and new.com.

I want to redirect old.com to new.com sending a 301 response code and forcing to use https.

All works fine using http, but it fails with https i.e. if I enter http://old.com address in browser changes to https://new.com

But if I enter https://old.com nothing changes and navigation proceed using https://old.com

Below there configuration files both for http and https. Apache version is 2.2.15 (Unix)

Anyone can help me to understand the problem?

Thanks

http.conf:

VirtualHost *:80>    ServerName   11.111.11.11    ServerAlias  old.com www.old.com new.com www.new.com     RewriteEngine on    RewriteLog "/tmp/rewrite.log"    RewriteLogLevel 3    RewriteCond %{HTTP_HOST} =old.com    RewriteRule ^(.*)$   https://new.com$  1 [R=permanent,L]     SecRuleEngine Off     ProxyRequests off    ProxyPreserveHost On     <Proxy *>      Order deny,allow      Allow from all    </Proxy>     ProxyPass / ajp://localhost:8009/    ProxyPassReverse / ajp://localhost:8009/     <Location />      Order allow,deny      Allow from all    </Location> </VirtualHost> 

httpd-le-ssl.conf:

<IfModule mod_ssl.c> <VirtualHost *:443>    ServerName   11.111.11.11    ServerAlias  old.com www.old.com new.com www.new.com     SSLEngine on    RewriteEngine on    RewriteLog "/tmp/rewrite-ssl.log"    RewriteLogLevel 3    RewriteCond %{HTTPS} =on    RewriteCond %{HTTP_HOST} =old.com    RewriteRule ^(.*)$   https://new.com$  1 [R=permanent,L]      SecRuleEngine Off     ProxyRequests off    ProxyPreserveHost On     <Proxy *>      Order deny,allow      Allow from all    </Proxy>     ProxyPass / ajp://localhost:8009/    ProxyPassReverse / ajp://localhost:8009/     <Location />      Order allow,deny      Allow from all    </Location>     Include /etc/letsencrypt/options-ssl-apache.conf    SSLCertificateFile /etc/letsencrypt/live/old.com/cert.pem    SSLCertificateKeyFile /etc/letsencrypt/live/old.com/privkey.pem    SSLCertificateChainFile /etc/letsencrypt/live/old.com/chain.pem