security

问题 I am developing secure payment APIs, and I want to avoid replay attacks with manipulation of the parameters in the url. For example in the following API call: https://api.payment.com/wallet/transfer?from_account=123&to_account=456&amount=100 Once this API call is executed, someone with enough knowledge can execute the same API call by modifying any of the three parameters to his/her own advantage. I have thought of issuing a temporary token (transaction token) for each transaction. But this

问题 Is there a way to override Content-Security-Policy set by the domain/site A while i am using nginx proxy_pass on Site B. Site A defined Content-Security-Policy on their domain. Site B acts as a reverse proxy for site A. How can i override Content-Security-Policy while serve content from site B ? how can i achieve this in nginx proxy pass ? my current nginx server block looks like this server { server_name proxy-domain.com.; location / { proxy_pass http://www.target-site.com/; proxy_set_header

问题 Is there a way to override Content-Security-Policy set by the domain/site A while i am using nginx proxy_pass on Site B. Site A defined Content-Security-Policy on their domain. Site B acts as a reverse proxy for site A. How can i override Content-Security-Policy while serve content from site B ? how can i achieve this in nginx proxy pass ? my current nginx server block looks like this server { server_name proxy-domain.com.; location / { proxy_pass http://www.target-site.com/; proxy_set_header

问题 Recently I worked on a library that supports using workers for some heavy lifting. I found out that, at least on most online code editors (snippets/jsfiddle/codepen/glitch) I can't seem to load a worker from another domain. I get a security error (or in firefox silent failure) function startWorker(url) { try { const worker = new Worker(url); console.log('started worker'); worker.onmessage = e => log('black', e.data); worker.postMessage('Hi from page'); } catch (e) { console.error('could not

问题 Recently I worked on a library that supports using workers for some heavy lifting. I found out that, at least on most online code editors (snippets/jsfiddle/codepen/glitch) I can't seem to load a worker from another domain. I get a security error (or in firefox silent failure) function startWorker(url) { try { const worker = new Worker(url); console.log('started worker'); worker.onmessage = e => log('black', e.data); worker.postMessage('Hi from page'); } catch (e) { console.error('could not

问题 From microsoft documentation In steps 6 and 7 ( Kerberos SSP <-> CSP or Base CSP ): In essence, it exchanges a copy of the x.509 certificate (from a smart card) in the pre-authentication data field of the request and is signed by the private key. I wonder if there is any method to customize CSP (Cryptographic Service Provider) so that Kerberos SSP can get x.509 certificate (self-created) without using smart card? Then from Kerberos SSP send the certificate to AD (active directory). Link

问题 From microsoft documentation In steps 6 and 7 ( Kerberos SSP <-> CSP or Base CSP ): In essence, it exchanges a copy of the x.509 certificate (from a smart card) in the pre-authentication data field of the request and is signed by the private key. I wonder if there is any method to customize CSP (Cryptographic Service Provider) so that Kerberos SSP can get x.509 certificate (self-created) without using smart card? Then from Kerberos SSP send the certificate to AD (active directory). Link

问题 In ActiveMQ Artemis when I use the requisite or required flag with my custom JAAS login module I am not able to login to the Artemis management console (Jolokia, port 8163 ). I have special business logic in the custom JAAS login module which authenticates mobile devices. But at the same time I want to have an admin user who can login to Artemis management console with some username/password or even without password. In order to have both custom and guest login module in Artemis login.config

问题 Suppose I am developing a mobile application that makes calls to an API server. The API server is secured by an API Key. I cannot hard-code the API Key inside the mobile application because it can be stolen. How can I protect the API key? 回答1: How is that problem usually solved? (It sounds like the API-key you are trying to protect is for an API service that you don't own.) One approach is by using an authentication server. The private API-key is kept on the authentication server and only

问题 Suppose I am developing a mobile application that makes calls to an API server. The API server is secured by an API Key. I cannot hard-code the API Key inside the mobile application because it can be stolen. How can I protect the API key? 回答1: How is that problem usually solved? (It sounds like the API-key you are trying to protect is for an API service that you don't own.) One approach is by using an authentication server. The private API-key is kept on the authentication server and only