http – Does it need to be tested if there are security headers in response to the API in javascript code?

I've found in one of the client-side libraries that it checks to see if the answer contains all the following headers with appropriate values ​​(for security reasons):

'content-type', 'application/json'
'content-type', 'charset=utf-8'
'X-Content-Type-Options', 'nosniff'
'content-disposition', 'attachment'
'X-Frame-Options', 'DENY'

If a header does not exist, the library will throw an exception.

I can see no reason how this can improve security by checking client-side libraries.

Does anyone have any idea if this makes sense or does not make sense?

P.S. This is not about whether these headers should be set by the server.

P.P.S. I've found this out, because for some reason, even if the header is present, I can see in logs that sometimes this exception is thrown for them X-... Headlines. I do not really know why, but I suppose either remove proxies headers or some browsers will remove them for some reason in js do not return. I would be happy to hear why, when someone knows reason.

nginx – haw to send traffic from the VPN to the HTTP server

Hello, I have a VPN site to site I need to configure http porxy to wheen
When Client A sends traffic to B with VPN Server B, he sends that request to another API, and Server B sends the result to Client.

Client A =====> VPN =====> ServerB ==== WAN ===== (server has this in the WAN API)
, I would connect Server B to our API and send the answer to Client A.

I'm trying Nginx, but Client A can not resell the API server
It's my configuration
location / api / v1 / {
proxy_redirect http: //api.XX/ / api / v1 /;
#proxy_set_header Host $ http_host;

thanks is in advance

google analytics – Dropping reference data due to HTTP, changed to HTTPS, no recovery reference data since (last year)

We changed our website from HTTP to HTTPS about a year ago.

We have a static website with no user input capabilities. That's why we used Google Analytics to retrieve a lot of reference data a few years ago, and it was not considered necessary to upgrade to HTTPS earlier. However, Google Analytics noticed that more and more traffic was listed as "direct". We assumed that was because the sites that we were pointing to were also upgraded to HTTPS.

Since the change, NO restoration of Google Analytics reference data has been detected.

I wonder if this is because older backlinks to our website point to the HTTP version and not to the HTTPS version, even though we're between them.

Would that be the case, and if so, could we fix the problem to get more referral data?

HTTP Status:

I get a lot of HTTP status: 400.501.0.502.503 No engine matches.
Let me know what the real problem is, how to fix it.
But all links that show this problem work live …

Network – How do I mimic an HTTP POST request?

I want to impersonate an HTTP POST request that I intercepted and saved to a file. How can I send them the best and be sure that I have sent exactly the same request?

Example file: (private data obviously edited)

POST /mobile/testAPN.ashx HTTP/1.1
Connection: close
User-Agent: (REDACTED)
Cache-Control: no-cache
Pragma: no-cache
Accept: */*
Accept-Encoding: identity
X-Protocol: 2
X-Handset_Platform: ANDROID
X-VAYO-ID: 1    
Content-Type: application/x-www-form-urlencoded;charset=UTF-8    
Content-Length: 3    
Host: (REDACTED)    


Javascript – What is the cause of an HTTP 413 error with Drupal 8?

I have a Drupal 8 site with the following modules:

If I am an anonymous user, the preview of the image will be displayed.

If I am an authenticated user, the preview of the image will not be displayed and the console will contain errors.

A few weeks ago there was no mistake, because there are these errors and how can I fix them?

Enter image description here

Which HTTP code has a higher priority: 403 or 415?

Consider the following scenario. I need to access a resource hosted on Server X. I would like to receive this resource in a Y format. Therefore, I send along with my request the Accept: Y Header. Unfortunately, X Y does not support and I can not access the X resource either. I have accepted validly Authorization Header.

How should X answer? With a 415 – tell me that it can not speak to me in a desired format or 403 (with a body that I probably can not read because the body parser I use only supports it Y Format).

python – Error requesting HTTP Twitter – WinError 10060

I'm having trouble reading the Twitter API. I make the request for jupyter.


import oauth2
import requests

consumer_key = 'xxxxxx'
consumer_secret = 'xxxxxx'

token_key = 'xxxxxx'
token_secret = 'xxxxxx'

consumer = oauth2.Consumer(consumer_key, consumer_secret)
token = oauth2.Token(token_key, token_secret)
cliente = oauth2.Client(consumer, token)

req = cliente.request('')


I get the error:

TimeoutError: (WinError 10060) Uma tentativa de conexão falhou porque o componente conectado não respondeu corretamente após um período de tempo ou a conexão estabelecida falhou porque o host conectado não respondeu