Preventing cross-site request forgery (CSRF)

Since I stumbled over a pretty good introduction to what CSRF is I figured it was worth a few lines.

Do I need to remove the Server header from my HTTP responses?

You might have heard the recommendation that your web server should not return the Server header to reveal exactly what software is being used. It even says so in the RFC. Given how hard it was to remove the Server header when using .Net HttpListener you might wonder what is really the right thing to do here.

Is logging raw HTTP requests ok?

When you are working on services that need to scale to millions of users you typically come to the conclusion that you will never be able to start a debugger on one of your live services. Instead you need instrumentation (also known as logging, tracing or diagnostics) to make sure you can figure out what went wrong. What I see happening a lot is that developers start logging the raw HTTP request to capture all data. And there are several problems with this approach...

Preventing DoS attacks with puzzles

So when a web service is getting too much traffic it starts returning the 503 status code. Well written services also return the Retry-After header hinting the client when it should come back again. Good behaving clients then respect that or will back-off by themselves to make sure the server is not getting too much traffic. However this is not enough if there are bad behaving clients in the mix. And how do you identify the bad behaving clients?

Understanding HTTP Strict Transport Security (HSTS)

I'm not going to explain it all myself since it was explained in an excellent way here. However below is the executive summary.

Returning 403 or 404 - that is the question

I think it is safe to say that anybody who is serious about security will tell you that security through obscurity is no security. Yet a lot of people think obscuring is a great way to increase security like for example return 404 rather than 403 on REST APIs when the caller does not have rights to retrieve an existing resource.

429 vs 503

A while back I was involved in a discussion around using 429 instead of 503 in order to tell clients they should back off a little. And there are some good arguments for both. Here are my thoughts.