security

问题 The question is, How to solve "The certificate is not valid and cannot be used to verify the identity of this website" error? . Here are the details: I have a signed applet that has been working fine, until I updated Java to 8u25 (1.8.0_25-b18). Now, the application shows an alert message "Do you want to continue? The connection to this website is untrusted". There is a note in this message too, " The certificate is not valid and cannot be used to verify the identity of this website ". The

问题 As a test, I'm trying to use the web.config to control security in the following ways: Deny access to all files in a directory, except for a specific file Allow access to all files in a directory, except for a specific file So I set up the web.config as follows: <?xml version="1.0" encoding="utf-8"?> <configuration> <!-- Deny access to all files in a directory, except for a specific file --> <location path="NonAccessibleDirectory"> <system.web> <authorization> <deny users="?"/> <deny users="*

问题 Cross-site scripting (XSS) is mentioned in the Wikipedia page for CORS. But I don't see how they are related. What's the connection between CORS and XSS? 回答1: XSS is mentioned on the Wikipedia article in relation to JSONP, not CORS. In JSONP you reference a page containing data you want to include client side in your page like so: <script src="https://example.com/jsonp.aspx?callback=foo"></script> You then have a JavaScript function on your page called foo that will be called by the external

问题 I will be working with very sensitive data in an app. Obfuscation by my definition is not added security, it will only delay the cracker with finite time. Is it possible that Proguard does this so well it may be called added security? What is most sensitive are some network calls. It will be hard to sniff the password because we will generate the password on both sides and check it's validity with timestamps. Problem is the app may be reverse engineered and the generate algorithm may be

问题 I am using the Android 4.1 Keychain and the following code worked fine under 4.0 but now gives me a Nullpointer exception (Cipher can't read some internal attribute) privateKey = KeyChain.getPrivateKey(context,mAlias); byte[] data = // some biary data Cipher rsasinger = javax.crypto.Cipher.getInstance("RSA/ECB/PKCS1PADDING"); rsasinger.init(Cipher.ENCRYPT_MODE, privkey); byte[] signed_bytes = rsasinger.doFinal(data); I am handling the private key from the KeyChain as opaque and simply use it

问题 We are using ASP.NET with a lot of AJAX "Page Method" calls. The WebServices defined in the Page invokes methods from our BusinessLayer. To prevent hackers to call the Page Methods, we want to implement some security in the BusinessLayer. We are struggling with two different issues. First one: public List<Employees> GetAllEmployees() { // do stuff } This Method should be called by Authorized Users with the Role "HR". Second one: public Order GetMyOrder(int orderId) { // do sutff } This Method

问题 What is this response header (x-Application-Context) stands for? is it specific to Spring framework? what does the below header means? X-Application-Context airtel-project-service:aws:27094 does it reveals any senstive information like hostname or port number? 回答1: Spring Boot ApplicationContextHeaderFilter does add this header. Class description: OncePerRequestFilter to add a X-Application-Context header that contains the ApplicationContext ID. AppliationContext ID is a name for the deployed

问题 I want to stop search engines from crawling my whole website. I have a web application for members of a company to use. This is hosted on a web server so that the employees of the company can access it. No one else (the public) would need it or find it useful. So I want to add another layer of security (In Theory) to try and prevent unauthorized access by totally removing access to it by all search engine bots/crawlers. Having Google index our site to make it searchable is pointless from the

问题 I want to stop search engines from crawling my whole website. I have a web application for members of a company to use. This is hosted on a web server so that the employees of the company can access it. No one else (the public) would need it or find it useful. So I want to add another layer of security (In Theory) to try and prevent unauthorized access by totally removing access to it by all search engine bots/crawlers. Having Google index our site to make it searchable is pointless from the

问题 In what situations is it acceptable (from a security standpoint) to use node's crypto.pseudoRandomBytes instead of the cryptographically-strong crypto.randomBytes? I assume pseudoRandomBytes performs better at the expense of being more predictable (incorrect), but the docs don't really have much to say about how less-strong it is. Specifically, I'm wondering if I'm ok using pseudoRandomBytes to generate a CSRF token. 回答1: As it turns out, with the default OpenSSL (which is bundled with node,