Webapp security: Different DB permissions for different requests

January 12th, 2008

When a GET hits your server, your RESTful webapp should not alter the database. Why not enforce this at the permissions level?

Read full entry »

How to return from a POST?

July 20th, 2007

I'm having difficulty deciding what is the best approach to returning from a POST request to one's web app. I'd like to deliver messages to the user about the results of the request, I want to avoid some nasty POST-related browser behavior, and proper bookmarking would be sweet, too. Unfortunately, it seems I can only have 2 out of the 3 with any given strategy.

Read full entry »

Using Tor correctly: Anonymous browsing edition

October 21st, 2006

Tor is a popular system for sending Internet traffic anonymously. It is mainly used for three purposes: hiding one's identity, hiding the identity of the site one is visiting, and hiding the data that one is sending and receiving. However, using Tor without some basic precautions is worse than not using Tor at all, leading to privacy violations, data theft, and security concerns. Here, I cover browser security with respect to preventing identity and data leakage when using the Tor network. If you are only using it to defeat web filtering, feel free to read only the section called "Locking yourself down".

At the end is an executive summary. Use it as a guideline, but make sure to read this entire post first -- it contains important instructions on how to change your browsing habits.

Read full entry »

rel=canonical

January 13th, 2006

Matt Cutts recently posted on the topic of canonicalizing URLs. He strongly recommends consistency in usage of www vs. non-www, / vs. /index.php, etc. (Roger Johansson has two-lines of .htaccess code that will solve the www issue.) I'd like to try a more client-side approach, just for the fun of it.

Read full entry »