security

问题 For added security our server keeps track of the browser fingerprint. At the moment we use the following headers: 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR' (take the first non-empty as the client-IP) HTTP_ACCEPTxxxx HTTP_USER_AGENT Are there any more (optional) headers that can be used? What in general is the best 'algorithm' to calculate the client fingerprint? 回答1: you can use a unique

问题 For added security our server keeps track of the browser fingerprint. At the moment we use the following headers: 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR' (take the first non-empty as the client-IP) HTTP_ACCEPTxxxx HTTP_USER_AGENT Are there any more (optional) headers that can be used? What in general is the best 'algorithm' to calculate the client fingerprint? 回答1: you can use a unique

问题 I decided to use new EncryptedSharedPreferences from AndroidX Security library. Since the app is supporting API 21 and higher, I decided to try out this new v1.1.0-alpha02 version, since it supports API 21+ So, I succeded to make the implementation for API 23+, but for older versions where Android KeyStore is not supported, I couldn't make it right, and there are no exact instructions how the master key should be created to make it work somehow. The code for initializing SharedPrefs:

问题 I decided to use new EncryptedSharedPreferences from AndroidX Security library. Since the app is supporting API 21 and higher, I decided to try out this new v1.1.0-alpha02 version, since it supports API 21+ So, I succeded to make the implementation for API 23+, but for older versions where Android KeyStore is not supported, I couldn't make it right, and there are no exact instructions how the master key should be created to make it work somehow. The code for initializing SharedPrefs:

问题 I'm building an application with Vue.js. Suddenly, vue-cli has begun outputting errors that have me concerned that perhaps one or more of my dependencies has something nefarious in it. When I run npm run serve (vue-cli serve), the command succeeds , but outputs several lines of error messages like the following: (node:366423) UnhandledPromiseRejectionWarning: Error: ENOENT: no such file or directory, stat '/initrd.img' It also fails to stat /home/jordan/.steampath , /initrd.img.old , /vmlinuz

问题 I'm building an application with Vue.js. Suddenly, vue-cli has begun outputting errors that have me concerned that perhaps one or more of my dependencies has something nefarious in it. When I run npm run serve (vue-cli serve), the command succeeds , but outputs several lines of error messages like the following: (node:366423) UnhandledPromiseRejectionWarning: Error: ENOENT: no such file or directory, stat '/initrd.img' It also fails to stat /home/jordan/.steampath , /initrd.img.old , /vmlinuz

问题 TL;DR: A website is served over HTTPS and needs to access a WebSockets server over an unencrypted channel (ws:// url). The browser doesn't like this. Encrypting the websocket is possible, but inconvenient - there is no trusted authority which could sign the certificate and thus it will be needed to manually install it for every client. I'd like to leave that as the last resort. The website must be served over HTTPS and cannot be downgraded to HTTP. Is there any other way to bypass this

问题 TL;DR: A website is served over HTTPS and needs to access a WebSockets server over an unencrypted channel (ws:// url). The browser doesn't like this. Encrypting the websocket is possible, but inconvenient - there is no trusted authority which could sign the certificate and thus it will be needed to manually install it for every client. I'd like to leave that as the last resort. The website must be served over HTTPS and cannot be downgraded to HTTP. Is there any other way to bypass this

问题 I want to display user uploaded SVG images on a website, but they're quite open to exploits: https://security.stackexchange.com/questions/11384/exploits-or-other-security-risks-with-svg-upload https://security.stackexchange.com/questions/36447/img-tag-vulnerability For example, arbitrary javascript can be embedded in SVG. There's also issues with performance exploits, but I'd consider those lower priority. Is there any mechanism to make SVG somewhat safe and only use it as an image? Can I

问题 I want to display user uploaded SVG images on a website, but they're quite open to exploits: https://security.stackexchange.com/questions/11384/exploits-or-other-security-risks-with-svg-upload https://security.stackexchange.com/questions/36447/img-tag-vulnerability For example, arbitrary javascript can be embedded in SVG. There's also issues with performance exploits, but I'd consider those lower priority. Is there any mechanism to make SVG somewhat safe and only use it as an image? Can I