I am signing (HMAC) outgoing webhooks to allow users to verify their source, should I also sign outgoing responses?

To allow api users to verify the authenticity of outgoing webhooks, I am using a similar model to slack:

  • Concatenate timestamp and body, HMAC with pre-shared key, add timestamp and HMAC digest to headers.

  • Recipient does the same, and compares to the digest in the header.

I can either implement this exclusively on outgoing webhooks, or I can implement it as middleware that performs this process on both outgoing webhooks, and responses to requests.

Is doing the latter good practice? A good idea?

Limits on responses in SP survey

I want to design a survey in SP 2016 as an event reservation form, with a choice of times available. Since each time would have only a fixed number of spaces available, can each selection have a separate limit on spaces available?

Also, I want to reserve spaces for a certain group of users. But instead of blocking their access to the form with the default “No permissions” message, I want to display a friendly message that says they’re already signed up.

How much of that can be done in the XSLT through SP Designer?

Mystic UA: are Exacting Query responses given vocally or telepathically?

The 2017 UA Mystic has various Psionic Disciplines. Under Telepathic Contact is an option called Exacting Query, whose description states:

Exacting Query (2 psi). As an action, you target one creature you can communicate with via telepathy. The target must make an Intelligence saving throw. On a failed save, the target truthfully answers one question you ask it via telepathy. On a successful save, the target is unaffected, and you can’t use this ability on it again until you finish a long rest. A creature is immune to this ability if it is immune to being charmed.

This question is asked via telepathy, but is it answered via telepathy or vocally? The Mystic’s telepathy (gained at level 2) seems to be described as only operating one way (from the Mystic to any creature the Mystic can see within 120 feet). So does this imply that the answer to an Exacting Query would be vocal?

Embedding Microsoft forms in SharePoint online to show (Questions and Responses) – Classic mode

I would like to use the Microsoft forms for a quick poll on an intranet (Classic mode) and was wondering if there is a way to redirect the user to the responses page/link after a survey or poll has been submitted? Or a way to have the questions and responses tabbed side by side?

Any resources or tips would be appreciated

How detailed should API responses be?

I would like to define rules that describe how detailed an API response should be.

To save you the effort of reading: It is of course also possible to keep the whole thing in the API documentation, but I am asking for an exact rule / best practise.

And by the way, I am not using ORM tools, I write plain SQL.

Let’s say there are the resources user and group. Users can have multiple groups and groups can have multiple users. When asking for a User by ID, would you also return the groups he is in? Would this group array only contain the IDs or contain detailed group objects?

If the group objects were detailed, there would be a risk that they would again contain user objects (cycles => users have groups which have users…). It is also possible that some nested objects are relevant and others are not. Some nested objects may need to be provided.

If you ask for a user, the database will only return the user. If the group should be supplied as an attribute, the query would have to be extended.

I am now also thinking of the extensibility of the API. When do I only return the user, when do I return a user with all its groups? I want to keep the API structure clean. Given these example routes

  • /users => return all users

  • /users/:id => return one user by user id

how would you decide which nested objects should be returned?

If you want to generalize the whole thing now, are there fixed rules?

Securing DNS by blocking querys AND responses [Dnscrypt questions]

Visiting facebook.com you will query s.update.fbsbx.com. s.update.fbsbx.com is a CNAME to s.agentanalytics.com. Currently, the only way to block s.agentanalytics.com is to block s.update.fbsbx.com via hosts. Windows DNS client, and even wildcard blocking resolvers such as Dnscrypt do not have the ability to block parent domains of CNAME replies.

13:19:30 dnsmasq[1211]: query[A] s.update.fbsbx.com from 13:19:30 dnsmasq[1211]: forwarded s.update.fbsbx.com to 13:19:30 dnsmasq[1211]: reply s.update.fbsbx.com is <CNAME> 13:19:30 dnsmasq[1211]: reply s.agentanalytics.com is <CNAME> 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 

Sometimes there may be multiple CNAMES that reveal their actual hidden associations in replies, example:

13:55:28 dnsmasq[26607]: query[A] su.itunes.apple.com from 13:55:28 dnsmasq[26607]: forwarded su.itunes.apple.com to  13:55:29 dnsmasq[26607]: reply su.itunes.apple.com is <CNAME> 13:55:29 dnsmasq[26607]: reply su-cdn.itunes-apple.com.akadns.net is <CNAME> 13:55:29 dnsmasq[26607]: reply su-applak.itunes-apple.com.akadns.net is <CNAME> 13:55:29 dnsmasq[26607]: reply su.itunes.apple.com.edgekey.net is <CNAME> 13:55:29 dnsmasq[26607]: reply e673.dsce9.akamaiedge.net is  13:55:29 dnsmasq[26607]: query[A] xp.apple.com from 13:55:29 dnsmasq[26607]: forwarded xp.apple.com to 13:55:29 dnsmasq[26607]: reply xp.apple.com is <CNAME> 13:55:29 dnsmasq[26607]: reply xp.itunes-apple.com.akadns.net is <CNAME> 13:55:29 dnsmasq[26607]: reply xp.apple.com.edgekey.net is <CNAME> 13:55:29 dnsmasq[26607]: reply e17437.dscb.akamaiedge.net is 

DNSCRYPT allows wildcard blocking of outgoing domain queries for example [analytics] but it will not block incoming responses nor the caching of s.agentanalytics.com ips. Or for example, if one blocks s.agentanalytics.com in windows hosts, or dnscrypt, it will still be accessible via s.update.fbsbx.com. I showed dnscrypt’s coder how this analytics domain bypasses his wildcard protections, and he told me “These entries are not within the parent zone and are ignored by all stub resolvers.” And here he goes into more detail

Is this incorrect?

If these IP’s are ignored by the stub resolver [that includes windows DNS client] as he previously claimed, why are they cached to begin with? are these IP’s potentially usable by a state party/MITM? as suggested here? I saw s.update.fbsbx.com in Umatrix, what ip then would it be associated with except s.agentanalytics.com ip addresses?

If he is incorrect, if DNSCRYPT wildcard blocks refused caching these ip responses one could better secure their networks.

Here is another example, of 21 queries occur when an Iphone immediately connects to WIFI, responses include 72 domains & IP’s that are not in the parent domain. He is saying this is all ignored.

Here, https://pastebin.com/GYSEw1dY

Microsoft Flow Record Form responses in SharePoint Yes/No

This is my first time on StackExchange, and I haven’t found the answer to my question in the forum…

I have built a Form in order to get some data recorded into a SharePoint list using Flow. I would like to fill a SharePoint item with the format type Yes/No. In Flow, I cannot even select a field from the Form I made (I setup some other SharePoint items and it worked like a charm).

Can you please let me know how to format the question in Form, and how to setup my Flow?

Many thanks in advance!

Should i hash responses from server?

I am hashing all requests to my server with a secret token known by only the server and my mobile app, to prevent malicious apps from using my servers.

Should I also do this on the responses from the server, to validate the servers identity in the app, or would this be useless?

Im of course using HTTPS already, and pinned certificates.

Control UX to create pre formed responses easily

I need to build a component to help doctors generate patient reports after they run a test. The goal is to optimize the time taken to generate these reports. Currently they take upwards of 30m to produce.

I’ve attached an example report below. The data like date, patient name, measurements etc, are sourced from some metadata that comes out of a machine. The area I am unsure about is the Comments and the Conclusions sections. I have highlighted 2 canned responses under Left Atrium, but almost every bit of text under Comments is generated.

Example report

Every bit of text in the Comments section are preformed observation phrases, that depends on the measurement values. They don’t want to write this text manually – they want to select from a dropdown, or auto complete, or some other control. I would estimate for each section (Left Ventricle, Atrium, etc), there are ~ 100 pre canned responses that the doctor selects from. In 95% of studies, it’s a select few responses that are used (i.e. most people don’t have some specific condition). They want to minimize manual typing of these responses, which is what they do currently.

My current thinking is to have an inline editing page, where they click on the fields and edit the report, in a WYSIWYG style. For the Comments and Conclusions section, I was thinking a tree view type selector like this one. But I worry this will be clunky with too many responses to choose from.

Does anyone have any other ideas? What is this pattern called?