security

问题 I was wondering are there any security concerns with adding crossdomain.xml to the root of an application server? Can it be added to any other parts of the server and are you aware of any work arounds that dont require the server to have this file in place? Thanks Damien 回答1: By adding the crossdomain.xml, the main security concern is that flash applications can now connect to your server. So if someone logs into your site, and then browses over to another website with a malicious flash app,

问题 I'm not sure why but my FederatedAuthentication.SessionAuthenticationModule is resolving as NULL and crashing my app when I try to run my ClaimsTransformer() module: public void EstablishSession(ClaimsPrincipal principal) { var sessionToken = new SessionSecurityToken(principal, TimeSpan.FromHours(8)) { IsPersistent = false, // make persistent IsReferenceMode = true // cache on server }; FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(sessionToken); //

问题 How can I determine the security patch level of an Android device using an API or other mechanism? I'm looking for the same security patch information that can be found manually by clicking the Settings -> About menu on the device. Google issues security patches every month, for example 2016-12-01. 回答1: In Android SDK 23 (Marshmallow) and later, you can retrieve the security patch date from android.os.Build.VERSION.SECURITY_PATCH. The date is a string value in YYYY-MM-DD form. In Lollipop,

问题 How can I determine the security patch level of an Android device using an API or other mechanism? I'm looking for the same security patch information that can be found manually by clicking the Settings -> About menu on the device. Google issues security patches every month, for example 2016-12-01. 回答1: In Android SDK 23 (Marshmallow) and later, you can retrieve the security patch date from android.os.Build.VERSION.SECURITY_PATCH. The date is a string value in YYYY-MM-DD form. In Lollipop,

问题 When you're creating an SQL server on Azure , there is the option to "ALLOW WINDOWS AZURE SERVICES TO ACCESS THE SERVER." Does this mean that some other application (other than my own applications) hosted on Azure, like a website, can access my sql server? There is username password, of course, but I'm afraid they can be brute forced. Is this a legitimate concern? 回答1: Yes, "Allow access to Azure services" is a shortcut that allows any Azure-hosted service through the firewall (though the

问题 I have Travis-ci on a public repository. After finishing the execution it generates a image that I want to upload to cloudinary.com, but it could be any other service. The problem is that to do it, I need to add in .travis.yml the auth token. But I don't want to expose it publicly, and for that travis offers a way to secure Env variables: http://docs.travis-ci.com/user/environment-variables/#Secure-Variables. However they do not work on PULL requests: Secure Env variables are not available on

问题 I have Travis-ci on a public repository. After finishing the execution it generates a image that I want to upload to cloudinary.com, but it could be any other service. The problem is that to do it, I need to add in .travis.yml the auth token. But I don't want to expose it publicly, and for that travis offers a way to secure Env variables: http://docs.travis-ci.com/user/environment-variables/#Secure-Variables. However they do not work on PULL requests: Secure Env variables are not available on

问题 Suppose that I take a user-supplied string, userstring, and call (keyword userstring) on it. Are there any security concerns about doing this? And if so, what would be the best way to mitigate them? 回答1: Per http://clojure.org/reader, there are rules for which characters are valid in symbols and keywords. (For now, alphanumeric characters and * , + , ! , - , _ , and ? .) You should never create a symbol containing any other characters. However, right now, these rules are completely unenforced

问题 So, I was wondering, since users send their APNS tokens to the APNS provider in order to receive push notifications, should the tokens be encrypted? Is SSL necessary? From what I figure is that there is no real sensitive data in the token. If someone actually managed to sniff the token from a user, he still would have to obtain my push certificate. And if he managed to do that (he won't ;-)) all he could do is send spam notifications to this particular user. Is that correct? Or did I miss

问题 So, I was wondering, since users send their APNS tokens to the APNS provider in order to receive push notifications, should the tokens be encrypted? Is SSL necessary? From what I figure is that there is no real sensitive data in the token. If someone actually managed to sniff the token from a user, he still would have to obtain my push certificate. And if he managed to do that (he won't ;-)) all he could do is send spam notifications to this particular user. Is that correct? Or did I miss