security

问题 Is there a simple way to check if a request comes from an action inside my app? I'm building the email confirmation page on a site I'm working on, and I'd like to show different texts on different request origins. If a user comes from another action (eg: the register action) in my app , then I simply want to show a text saying something like: "Thanks for registering on x, please confirm your account with the given link in the email you got from us.." If a user comes outside of my app, then he

问题 I have an http-https redirect configuration set up in NGINX: server { listen 80; server_name localhost; return 301 https://$server_name$request_uri; } My question is: Is there at any point, from the user initially accessing the login page of my application to POSTing his username+password, a time when the credentials are going clear over HTTP before being redirected to HTTPS? 回答1: It depends on your login form somewhat (it should always post to the https url only), but based on this info, I

问题 Is there a simple way to check if a request comes from an action inside my app? I'm building the email confirmation page on a site I'm working on, and I'd like to show different texts on different request origins. If a user comes from another action (eg: the register action) in my app , then I simply want to show a text saying something like: "Thanks for registering on x, please confirm your account with the given link in the email you got from us.." If a user comes outside of my app, then he

问题 I need to authenticate securely to a third party site for a SSL REST api call. I have the API call part working but I want to save the third party credentials in my app engine datastore, or maybe somewhere else? I have no idea how im supposed to do this. The SSL call looks like: credentials = base64.encodestring('%s:%s' % (username, password))[:-1] request = urllib2.Request(accounts_url) request.add_header("User-Agent", user_agent) request.add_header("Authorization", "Basic %s" % credentials)

问题 Is OAuth more secure than Basic Auth through HTTPS for server to server dialog? I mean, if I want to do some API request from server A to server B with OAuth, I have to store some auth data (key, secret, etc.) on server A. Then using these auth data, I can have a token and make requests with this token to server B. And using the same auth data later, I will have a token key and will be able to make request with this fresh token. With Basic Auth, I have some auth data (user, password) on

问题 I am trying to load a certificate from a pfx file in a WPF application and it gives me an access denied error. using (FileStream stream = System.IO.File.OpenRead(certificatePath)) { using (BinaryReader reader = new BinaryReader(stream)) { buffer = reader.ReadBytes((int)stream.Length); } } X509Certificate2 certificate = new X509Certificate2(buffer, password); System.Security.Cryptography.CryptographicException: Access denied. at System.Security.Cryptography.CryptographicException

问题 How can I make a javascript file only work on a single domain. I'll compress this file and when somebody tries to use it by copying my web site or just the javascript file, it won't work and give alert. Here is an example. I downloaded all files but when try to view it gives an alert that says I need to buy it (what exactly I'm going to do :) 回答1: You can't really do this. You could put something at the beginning of your code like this: if (window.location.href.substring(0, 18) != "http:/

问题 I'm developing this application to be used speceifically with Firefox (it's for internal use). Basically, we're using the sun.security stuff to read Firefox's KeyStore and sign data with the certs we get. I've tested this on several machines and the results are varying, I can't seem to pinpoint the reason. I've tested it on the latest ubuntu release, Firefox 3.6.13, using Java version 1.6.0_22, it works there. I also have a Windows XP laptop with the same Firefox version using Java version 1

问题 I plan to design a system that will essentially allow users to run scripted code like PHP, Ruby, etc. on my machines. I would like to sandbox them from accessing critical aspects of the machines. What .NET API's could be used for this? I plan to create a sub-process from a main process and would like to sandbox the sub-process programmatically from the main one. Thanks. 回答1: Designing a (user-mode) sandbox is a difficult challenge that requires in-depth knowledge of the underlying operating

问题 I have a classifieds website with a picture script for uploading pics onto the ads. The pics are uploaded to the "images" dir. The php code which does this requires write access to the directory I am guessing... So, what permissions would you set to the php upload file , and the images directory? I am thinking like this: drwxr-xr-x Safe/good or not? Thanks ALSO, another short Q: Should I have my websites files owned by the username I have, or should I keep them owned by root ? 回答1: drw-r--r--