Servage Magazine

Google received 2.4 million requests since 2014 to delete search-engine results under Europe’s “right to be forgotten” (RTBF) rules. European Union citizens currently have the right to ask search engines to remove results that include their names following a landmark decision from the European Court of Justice in 2014. The search giant released an updated version of its annual Transparency Report, which discloses how many and what kind of requests Google has received to delist pages from results and in how many instances the company complied. According to the report, it looks like the company is being asked to remove plenty of content. From 2014-2017, it received more then 2.4 million requests. ...

It's easy for service providers to ask their users to use secure passwords. After all it is the user who is supposed to remember it. Obviously it is better for everyone if secure passwords are being used everywhere, but for many people it represents an annoyance to use a password like "237IMBd!" instead of "pizza". However, there are plenty of ways making it easier to remember secure passwords - and some of them even add a little bit of fun to the process ;-) I would like to explain my personal way of generating and using secure passwords as an inspiration to figure out a way that works for you, and moreover, ...

Specter and Meltdown!  These are the names of the two potentially serious security holes in processors that were revealed during the past week. We will start by stating that, with certainty, we can't say exactly how serious the bugs are (or rather how easy they are to exploit). In any case, this is what we know so far: The security holes have been traced back to 2011. Initially, only Intel's processors were pointed out (something that, of course, was so bad considering the manufacturer's market dominance) but later at his has been revised and the problem, at least with Spectre, seems to apply to all major processor manufacturers. Simply described, it's all ...

Unfortunately it is a fact that security threats are a reality on the Internet! To address these and to make your hosting package even more secure we have  GeoIP Security added to each Servage account. This feature enables you to prohibit possible intruders to gain access to your account based on their geographic location or IP address. You can enable GeoIP Security in the control panel, where you also have the ability to specify specific countries and IPs to allow access. How does this work? Whenever someone tries to login the user is verified against our database to identify if that particular user is allowed to login from that particular geographic location ...

There are many ways to authenticate users in APIs: username and password combinations, OAuth 2 and API keys to name a few. Today we will be having a look at a rather new implementation called JSON Web Token, JWT for short. There are some noteworthy advantages in JWTs that we will be covering as well. What is a JWT? A JWT is a way to send and receive data between two parties in a secure way. The data a JWT contains is mostly up to you, although some metadata must be present. JWTs can be used as session tokens to authenticate against an API. As the name implies, a JWT is JSON and therefore ...

OAuth is an authorization standard that can be found on websites, APIs, web applications built with React or AngularJS and more. OAuth is often used to let other websites access user information on another website. OAuth can be used for various types of authorization, so let’s see how it works in more detail. Why OAuth? As mentioned previously, OAuth gives a website access to a user’s profile information on another website. When you sign up on a website, you have likely seen the option to sign up using your Google, Facebook or other account. In these cases, the signup process is handled by OAuth and your personal information, such as your name and ...

Cross-origin resource sharing (CORS) is a feature that allows website content, such as external font files, to be requested between different domains. Although it doesn’t sound very obvious, CORS is used on a majority of websites. Let’s have a look into what CORS is all about and when it is used. Same-Origin Policy Before talking about CORS itself, let’s talk about a security feature related to it called the same-origin policy. It is a security feature built into web browser that prevents websites from sending certain types of requests to other websites. For example, www.example.com cannot send a POST request to www.example2.com using AJAX. The reason why this is blocked is because this ...

Two-factor authentication (2FA) is considered the most secure way to protect online accounts. It protects user accounts with one-time codes that are usually delivered to the user with a 2FA application or text message. Big companies, such as Google, Facebook and Microsoft, already support 2FA, and it continues to gain more support on smaller websites too. This time we will see what it takes to implement two-factor authentication on a website using PHP. Installing pragmarx/googlef2a To set up two-factor authentication, we will be using a popular Composer package called pragmarx/google2fa. To get started, install the package using Composer: “composer require pragmarx/google2fa”. This requires you to have composer installed globally as described on www.getcomposer.org. Updating ...

Cross-site scripting (XSS) is an attack where a user embeds malicious code as part of a website. This can be done for instance by submitting a comment on a blog website. If the comment contains a malicious script, it will be executed by all visitors who read the blog article. These attacks are quite common, and there are many varieties of XSS scripting. Let’s find out what methods are available to protect web applications from these vulnerabilities. Escaping User Input This is arguably the most important thing to do to prevent XSS attacks. On many websites, users are allowed to freely fill out forms that save the input in a database. Let’s consider ...

Cross-site request forgery (CSRF) is an exploit that allows a malicious user to send requests on behalf of another user in a web application. Even though protecting applications from CSRF attacks is not very difficult, these vulnerabilities are still fairly common. Now is a perfect moment to learn how to protect your application from such exploits. How CSRF Works A cross-site request forgery attack can happen when a user clicks a malicious link on a website or email message. State-changing operations, such as changing a user’s password should be implemented using POST requests. However, this is not always the case and applications sometimes use GET requests for this type of actions. This is ...