Has anyone written up how to secure an unauthenticated localhost service? I've got Host check against DNS rebinding, CORB/CORP/COOP against Spectre, anything else? Maybe I should work in a secret path segment after all.
-
-
(because if an attacker can bind to the service's port while it's not running, the attacker can steal the creds; and if the credentials are cookies, the attacker can bind to any other port and receive the credentials on that port)
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.