Trying to use HMAC to pass a string to be verified. Is this secure

I am working on a django project and trying to create a REST api to verify email without using any database.

My present server connection is HTTP and not HTTPS

So some one using the api end point POST his email.

REQUEST:  curl --location --request POST '' \ --header 'Content-Type: application/json' \ --data-raw '{ "email":"", }' 

Now i am generating a random 6 digit number eg: 435667 and an email will be sent to

send_mail('PIN TO VERIFY','ENTER THE PIN 435667',None,[]) 

Send the HMAC value of 435667 as a response to this api

    raw = '435667'.encode("utf-8")     key = 'SOME_SECRET_KEY'.encode('utf-8')     hashed =, raw, hashlib.sha1)     pin_hmac_hash = base64.encodebytes(hashed.digest()).decode('utf-8')     eg: pin_hmac_hash = "SOME_HMAC_HASH_OF_PIN" 

So the response for /api/openlogin will be

{ 'email': '' 'pin': "SOME_HMAC_HASH_OF_PIN" } 

Now the user sends me back the pin along with the HMAC hash in the response

curl --location --request POST '' \ --header 'Content-Type: application/json' \ --data-raw '{ 'pin': "SOME_HMAC_HASH_OF_PIN", 'email': '', 'emailed_pin':'435667' }' 

Will someone guess the pin from SOME_HMAC_HASH_OF_PIN.

Ofcourse i will further try to autenticate the api using JWT token. So the email cannot be tampered

This is an example of PIN but it can be any string of sensitive information. Can i rely on hmac

Does a lack of verified signatures for Windows Defender indicate malware?

I ran “autoruns” from Windows Sysinternals on a Windows 10 machine, and noticed that the Windows Defender services were marked in red colour, and did not have verified signatures. I checked these services on another machine and found that they were all verified as expected.

Does this mean the Windows Defender on my machine is malware? If so, how can I remove it and reinstall a clean Windows Defender? Running the thorough offline-scan did not help.


Site country on Verified urls

I think it will be nice and handy to have the country column in the Verified list of urls. If GSA can identify the country (based on domain tld and others), it will be helpful for guys who aren’t working with xxx,xxx,xxx of urls to avoid certain tlds/hosts. I know it can be done while posting, but I think it can be useful if you want to re-target certain sites/languages.
Not sure if it’s easy or not, but the data is already collected while posting (in the Last Verified).
What do you think?

Shared SER Verified List or Proxy Semi-Dedi

hello guys, anybody interested to join my verif list subs or Proxy?
monthly subs only $ 40 for list and $ 25 for proxy, and if you want to join you can just pay $ 20 and I will share list and proxy.

or $ 15 for list or $ 5 for proxy only. I share using dropbox.

if you interested, send me eMail coz I rarely on in this forum. thanks.