security

问题 I've set up an API with authentication but I want to only allow certain applications and websites to access it. What do I do? I've got authentication set up for users that are Logged in only being able to access the API, however, how do I prevent them from just logging in from anywhere? 回答1: Before I address your question, I think is important that first we clear a common misconception among developers, regarding WHO and WHAT is accessing an API. THE DIFFERENCE BETWEEN WHO AND WHAT IS

问题 I'm trying to understand how npm audit command works. By which algorithm it defines that there is a problem and the most important one how it differentiates the level low / moderate / high / critical 回答1: There is no algorithm. Only people. What npm audit does is look at what package you are using and what version and compare it to npm's vulnerability database. Here's the web interface to that database: https://www.npmjs.com/advisories If you click on any of the "problems" you will see 3

问题 We have a vendor supplied solution that requires a username and password to utilize their APIs exposed as a web service. They are to be included in the actual xml of the call. We obviously don't like that. Does anyone know of any product, system, whatever, that we can have calling systems authenticate to with token based security, which would then inject the username password and forward the request in a secure zone accessible by the product but not the outside callers. And of course return

问题 Is there a way using Paramiko and Python to get the banner of the SSH server you attempt to connect to? I am dealing with an ultra secure server setup process for many machines and the passwords are generated via a predefined cipher key which get's printed out at with the SSH banner. I have access to the utility that will give me the password, but I need the text in the banner to actually generate the initial password. 回答1: Looks like this wasn't a feature. Good thing I requested it and the

问题 Let's say i have a form that does something in database and requires user authentication that has been sent by POST, is it possible inside request someone evil to change the user in order to exploit the system? The following example creates an item in database but requires a logged in user. Can someone send other user's data in request.user ? from django.shortcuts import render, redirect from django.contrib.auth.decorators import login_required from items_core.models import Item from items

问题 Let's say i have a form that does something in database and requires user authentication that has been sent by POST, is it possible inside request someone evil to change the user in order to exploit the system? The following example creates an item in database but requires a logged in user. Can someone send other user's data in request.user ? from django.shortcuts import render, redirect from django.contrib.auth.decorators import login_required from items_core.models import Item from items

问题 Thanks for your help in advance. I'm using React Native and Node.js to deliver a product for my company. I've setup the steps on the backend to retrieve a password, validate it and respond with a token. The only problem is - the password I use on the front end (mobile app) to be validated by the back end is hardcoded. My question is: How should I securely store this password on the mobile app so that it can not be sniffed out by a hacker and used to compromise the backend? My research so far.

问题 My app requires login, and I have a Remember username and password ability. The username and password is then stored with localStorage.setItem('username', username); How secure is this way of storing the username and password? What I'm worried about, specially on Android, is if other apps have access to the data and can fetch the login info. The app is for iOs and Android, and I'm using PhoneGap 2.9 . 回答1: LocalStorage is under normal circumstances only accessible by your app. It is as secure

问题 I am learning about JWT for the security of my project, but I have a question. If I recieve the token correctly after I did the login, but someone else (hacker) in other place steals this specific token, can he access to my session? The server that use JWT authentication is able to detect this and protect me? How? 回答1: Only the server should know the "secret" that is used to generate the JWT. If someone modifies the data contained in the JWT, the server will fail to decode it. So the server

问题 I want to publish an R Shiny web application (http://www.rstudio.com/shiny/) on the web, but I want to password protect it so that only people with credentials can view what I have published. What is the best way to do this ? 回答1: This might be a little late but I am going to answer anyways. If you have already got a solution, can you please share it with us? My primary aim was very simple. I had a working version of shiny app on my laptop. I used to run it as mentioned below, all the while