Das ist das Blog von Sven Hasselbach über Themen aus der Entwicklung und alles, was ihm sonst so durch den Kopf geht.
Seit 2003 als freiberuflicher Entwickler deutschlandweit im Einsatz, mit dem Schwerpunkten Lotus Notes & XPages, Vaadin, Java & PHP.
IBM ICS Champion 2013
Gründer von cyccle
Um Kontakt mit mir aufzunehmen, einfach eine eMail an contact<at>hasselba.ch schicken oder mich bei XING finden:
Projektanfragen sind immer willkommen!
Archiv der Kategorie: Security
Karsten Lehmann has published a very promising project named „Domino JNA„, which allows access to the underlying IBM Domino/Notes C API from Java. If you want to use the project in a XPages, you have to add some Java permissions … Weiterlesen
Yesterday René commented that submitting username and password with HTTP GET is insecure, because they are submitted in clear text over the wire as part of the URI. At the first moment, I did not give some thought about it, because it is known … Weiterlesen
During the last days I have refined the DominoStatelessTokenServlet a little bit. It is now a pre-beta release, and I think it is time to explain some details about it. While it is still a proof-of-concept, it demonstrates how a … Weiterlesen
I have uploaded some of my projects to GitHub, including an alpha version of a stateless token servlet. The servlet has it’s own authentication mechanism (the password is currently not validated), and for developing purposes it uses HTTP GET. In … Weiterlesen
The „Same-orginin policy„ is an important concept for protecting web applications. In short, only resources from the same domain are allowed, everything else is permitted denied. To allow access other domains in your application, you have to enable „CORS„, a … Weiterlesen
I had some time last night (the whole family had gone to bed early), so I spent some to look at the XPages integration into Bluemix. I found the Greenwell Travel Expenses Demo: But after clicking a link, the page … Weiterlesen
Here is a list of usefull HTTP headers for responses you should know about: X-Content-Type-Options When set to „nosniff„, this header will prevent browsers from MIME-sniffing a response away from the declared content-type. While this header is more relevant for … Weiterlesen
After hardening the SSH configuration on a Debian server by removing unsecure ciphers and MACs I got in trouble with Eclipse Remote System Explorer. When trying to open the server, I always got an „Algorithm negotiation fail“ message: Even installing … Weiterlesen
In this post I will demonstrate how a do a CSRF attack against a XPages REST service. Let’s assume that we have a custom REST service on a XPage. To keep the example as simple as possible, this service returns … Weiterlesen