security

问题 I have a website where you can request data using ajax from our servers as json (only to be used on our site). Now i found that people start using our requests to get data from our system. Is there a way to block users from using our public json API. Ideas that i have been thinking about is: Some kind of checksum. A session unique javascript value on the page that have to match server-side Some kind of rolling password with 1000 different valid values. All these are not 100% safe but makes it

问题 I am creating an application which uses the Java Plugin Framework to load plug-ins and integrate them into the program. My question is: Is there any way to restrict certain operations (such as starting a new process) in the plug-ins? What I have in mind is something like Java WebStart, i.e when the application wants to access the FileSytem, the user is prompted whether or not to allow the action. I was thinking of maybe creating a security manager and, if so, how can I do that? 回答1: I suggest

问题 I am noob in security sorry for that. I have an xml file which include, <?xml version="1.0" encoding="UTF-8" standalone="no"?> <ID_VG_Response> <Result> <SubjectDN>CN="XX", SERIALNUMBER=XX/XX, C=IN</SubjectDN> <UserIDN>XX</UserIDN> <CardNumber>XX</CardNumber> <TransactionType>XX</TransactionType> <Status>Success</Status> </Result> <Validity>180</Validity> <SignatureTime> <date>20150726</date> <time>15:01:51:927</time> </SignatureTime> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

问题 First of all, sorry if the question is unclear due to my poor knowledge. I'm interested to know how apache calls the appropriate engine/invoker to serve a request . Suppose, user requests a http://somesite.com/someurl.php - now how apache determines that it needs to launch the PHP interpreter? Does apache determines so based on the file extention/MIME type or anything else? What I know is: I can configure apache to invoke certain interpreters based on file's extension, by something like:

问题 I have many photos already stored on my website and I want to allow other people to publish any of these photos on their own websites. What I'm trying to do is create embed code for each photo to allow third parties to publish a photo within an iframe (I'm using PHP). It's just like what Getty Images have done here - allowing others to embed their photos. Getty's embed code uses an iframe with the source to the image/webpage being something like this: src="//embed.gettyimages.com/embed

问题 Following this question: Can a cookie that was generated with Javascript (not send in the header by the server) be stolen / used by an attacker? This is driving me crazy. How can one ever keep state at the client using a FB access token? One should use it to access resources on one's own server, and also from the FB server. Assuming that one uses a js framework (Backbone / Marionette) and REST authentication. It cannot be encrypted as such, and yet there is no other way than to use a cookie

问题 My current architecture is based on a LDAP + JSON Web Token authentication, and my passing Token via the URL this way : https://myHostApp?jwt={myToken} Is that safe to proceed this way, or I should pass another way the Tokens? Assuming also, that SSL is enabled. 回答1: I disagree with the accepted anwser. It is right to say that the use of HTTPS will prevent data leaks. However there are lot of attacks that are achievable if tokens are set in the query string. For example: Using the browser

问题 Based on some exceptionally helpful tips, I am using the following code to include PHP files outside my root directory which looks similar to this: define('WEB_ROOT', __DIR__); define('APP_ROOT', dirname(__DIR__)); define('PHP_ROOT', APP_ROOT . DIRECTORY_SEPARATOR . 'application'); include(PHP_ROOT . DIRECTORY_SEPARATOR . 'bootstrap.php'); My question is this, lets say for example you include the code bootstrap.php as per what you have above. What if that PHP file bootstrap then had its own

问题 I know that somewhere in the history of the internet this must have been asked somewhere, but I just can't seem to nail down the right terminology to get the answer I need. This question comes close: What is the best way to store user uploaded files in a website? But I need a little bit more detail. Basically, how are you supposed to effectively manage files that users have uploaded, such as a profile picture? What I want to know are some "best practices" regarding WHERE to make the directory

问题 In my Symfony 2.3.1 Security YML, I have this line. security.yml access_control: - { path: ^/mysecurearea, roles: IS_AUTHENTICATED_ANONYMOUSLY, ip: 0.0.0.0 } Based on this: http://symfony.com/doc/current/book/security.html I was under the impression that this route and routes like it, e.g. /mysecurearea/something should only be accessible to a request from IP 0.0.0.0 Problem is, I can still access it. Any ideas? 回答1: So, all I wanted to do, was stop people from access an area, unless they had