To re-iterate, you would get this message iff you have the correct
credentials for an end user who is not an admin user. You seem to be
referring to Response Information Discrepancy Information Exposure
(http://cwe.mitre.org/data/definitions/204.html) which is generally
about differentiating
I personally like the idea of a decorator
On Mar 13, 12:30 pm, Ryan N wrote:
> I personally do not believe XFrameOptionsMiddleware should be on by
> default. There are plenty of folks using Django for simple static
> sites or RESTful APIs where clickjacking doesn't
This is awesome - very progressive and I hope other frameworks follow
suite.
Have you done a poll of users to see how many would be affected by a
"SAMEORIGIN" setting? Maybe that would be a good place to start. Is
there some other way to test the overall impact of this prior to
committing to it
To summarize - if I understand correctly the only way a more specific
error message can result in a problem is the following scenario:
1) An attacker correctly guesses credentials for a user on the admin
site
2) The attacker does not try to authenticate with the same credentials
on the regular
that brute-force prevention doesn't come out of the box. Does that
sound fair?
On Mar 8, 4:10 am, Michael Radziej <m...@spieleck.de> wrote:
> On Mon, 7 Mar 2011 18:11:19 -0800 (PST), Rohit Sethi <rkli...@gmail.com>
> wrote:
> > Luke, I guess the real question is what's the risk of
here are wrong.
On Mar 7, 6:48 pm, Luke Plant <l.plant...@cantab.net> wrote:
> On 04/03/11 21:56, Rohit Sethi wrote:
>
> > Hi all, I wanted to revisit a key security discussion. Brute force
> > attacks are the 7th most prevalent attack by number of incidents in
>
Ok, we'll go ahead with researching this. Expect to hear back from us
within the next 2-3 weeks (if not this upcoming week)
Thanks,
Rohit
On Mar 5, 8:40 am, Rohit Sethi <rkli...@gmail.com> wrote:
> Hi Russell, here are my thoughts on your points:
>
> 1. I do believe there shou
wrote:
> On Sat, Mar 5, 2011 at 5:56 AM, Rohit Sethi <rkli...@gmail.com> wrote:
> > Hi all, I wanted to revisit a key security discussion. Brute force
> > attacks are the 7th most prevalent attack by number of incidents in
> > the Web Hacking Incidents Database (http://p
Hi all, I wanted to revisit a key security discussion. Brute force
attacks are the 7th most prevalent attack by number of incidents in
the Web Hacking Incidents Database (http://projects.webappsec.org/w/
page/13246995/Web-Hacking-Incident-Database), which tracks publicly
disclosed breaches in web
Hi Jacob, just as an FYI I messaged you last week about this off list
- my email was from my first name @securitycompass.com. Just wanted to
make sure you got it
Thanks,
Rohit
On Feb 24, 6:55 am, Jacob Kaplan-Moss wrote:
> Hi Rohit --
>
> I had a skim of the document, too,
tail you've gathered on any individual item if I so choose.
>
> Either way, thank you for providing an interesting resource.
>
> All the best,
>
> - Gabriel Hurley
>
> On Feb 21, 5:09 pm, Rohit Sethi <rkli...@gmail.com> wrote:
>
>
>
>
>
>
>
russ...@keith-magee.com>
wrote:
> On Mon, Feb 21, 2011 at 11:21 PM, Rohit Sethi <rkli...@gmail.com> wrote:
> > Django devs, I wanted to thank you for a truly awesome framework.
> > Programming with Python, and web app dev in Django, is truly a
> > pleasure. Our c
One more point - if any of you have questions for somebody who leaves
and breathes web application security every day, please feel free to
fire them off to me:
rohit at securitycompass.com
On Feb 21, 10:21 am, Rohit Sethi <rkli...@gmail.com> wrote:
> Django devs, I wanted to
.
Thanks in advance,
Rohit Sethi
@rksethi
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to
django-developer
14 matches
Mail list logo