security

问题 I used to use RNGCryptoServiceProvider to generate string-based Order ID's, but, there were 4 instances where ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@$%^*()_- would generate an already-existing Order ID. And it got me thinking... Why can't we just use something like: <html> ... <p>@GenerateOrderId()</p> ... </html> and: public string GenerateOrderId() { return "OID" + DateTime.Now.Year + DateTime.Now.Month + DateTime.Now.Day + DateTime.Now.Hour + DateTime.Now.Minute + DateTime.Now.Second +

问题 I have been writing a little program for myself using C# that I can use to store my passwords and then retrieve them for viewing/editing. While the passwords are stored to disk in an encrypted format, when they are read into memory for display/editing on a form, they are unencrypted. I have learned that having unencrypted passwords in memory is a pretty big security problem, so I came across the SecureString class. Would there be a more secure way to do this than using the SecureString class,

问题 I have a Spring Boot application with Spring Security. A new endpoint /health is to be configured so it is accessible via basic HTTP authentication. The current HttpSecurity configuration is as follows: @Override protected void configure(HttpSecurity http) throws Exception { http.requestMatchers() .antMatchers(HttpMethod.OPTIONS, "/**") .and() .csrf() .disable() .authorizeRequests() .anyRequest() .permitAll() .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

问题 I want everything in a directory called public to be allowed to be served. What I have is: let uri = require('url').parse(req.url).pathname; let filePath = `${publicDir}/${uri}`; // then simply check if the file exists. Is the pathname property on the object returned by url.parse protected against injection attacks? I don't know what they would all be. But for example attacks like mysite.com/../../users/ . 来源： https://stackoverflow.com/questions/47481784/does-url-parse-protect-against-in-a

问题 I am in need of a secure solution for storing a larger (unknown) amount of private images accessed only by a certain user. This question is not surrounding things like logins, sessions or anything like that - solely surrounding images and them being stored. I'll start out with explaining what I am trying to achieve and then go on to things I've thought about doing. Private images only accessible by a certain user A user logs in to my site to upload and view images provided and uploaded by him

问题 I have a siteA, and JS in siteB. The siteB JS get the siteB domain to return JSON in AJAX POST request. Then, base on the information in siteB domain, and use the siteB JS inject into site A website via some create document technique in JS. If it is violate the same origin policy, any other suggestions? Thank you. (I only have the right to control siteB.) 回答1: People generally think about three origins when dealing with this sort of thing: The Page (http://example.com/) The Script (http:/

问题 I am working on a website for my company that is both available on our internal network and on internet. And I am asked something that does not seem possible to me but I wanted to ask the question before actually saying that ! We have two types of users in our company, those who are actually registered in the Active Directory (and so forth have a Windows login account) and those who are not. On our internal network we use the identity given by HTTPContext.Current.User.Identity.Name With this

问题 jersey JAX-RS resources can be secured with annotations like this. @RolesAllowed("user") @GET public String get() { return "GET"; } My requirement is securing dynamically created jersey resources which I have created like this @ApplicationPath("/") public class MyApp extends ResourceConfig { public MyApp() { packages("com.test.res"); Resource.Builder resourceBuilder = Resource.builder(); resourceBuilder.path("/myresource3"); final ResourceMethod.Builder methodBuilder = resourceBuilder

问题 jersey JAX-RS resources can be secured with annotations like this. @RolesAllowed("user") @GET public String get() { return "GET"; } My requirement is securing dynamically created jersey resources which I have created like this @ApplicationPath("/") public class MyApp extends ResourceConfig { public MyApp() { packages("com.test.res"); Resource.Builder resourceBuilder = Resource.builder(); resourceBuilder.path("/myresource3"); final ResourceMethod.Builder methodBuilder = resourceBuilder

问题 I have a simple question which I can not find a simple answer to, probably I am missing something or I don t know about how some networking concept works. And I want to know what I don t know. Simply, the question is while eavesdropping is possible, how can server know the request is coming from client, not the eavesdropping hacker. Scenario : Whatever the security policy I am having, I should send something to client. It might be a asymmetric encrypted token or sth. Client has no private key