security

问题 I'm new to java and I'm not that familiar with the formatting rules used by an error stack trace when it is thrown and subsequently displayed to an end-user of my web application. My experience with Oracle database is that the error stack contains internal information, such as schema and procedure names and line number(s), which, while useful for debugging, I would like to prevent the user from seeing. Here's an example: java.sql.SQLException : ORA-20011: Error description here ORA-07894: at

问题 I'm new to java and I'm not that familiar with the formatting rules used by an error stack trace when it is thrown and subsequently displayed to an end-user of my web application. My experience with Oracle database is that the error stack contains internal information, such as schema and procedure names and line number(s), which, while useful for debugging, I would like to prevent the user from seeing. Here's an example: java.sql.SQLException : ORA-20011: Error description here ORA-07894: at

问题 I recently came upon a Microsoft article that touted new "defensive enhancements" of Windows 7. Specifically: Address space layout randomization (ASLR) Heap randomization Stack randomization The article went on to say that "...some of these defenses are in the core operating system, and the Microsoft Visual C++ compiler offers others" but didn't explain how these strategies would actually increase security. Anyone know why memory randomization increases security, if at all? Do other platforms

问题 I recently came upon a Microsoft article that touted new "defensive enhancements" of Windows 7. Specifically: Address space layout randomization (ASLR) Heap randomization Stack randomization The article went on to say that "...some of these defenses are in the core operating system, and the Microsoft Visual C++ compiler offers others" but didn't explain how these strategies would actually increase security. Anyone know why memory randomization increases security, if at all? Do other platforms

问题 On iOS, the Certificate, Key, and Trust Services API contains the following padding types: kSecPaddingNone kSecPaddingPKCS1 kSecPaddingPKCS1MD2 kSecPaddingPKCS1MD5 kSecPaddingPKCS1SHA1 A user on the Apple CDSA mailing list says that "kSecPaddingPKCS1 [...] is the same as PKCS #1 1.5". The Certificate, Key, and Trust Services Reference annotates the latter three padding types ( kSecPaddingPKCS1MD2 , kSecPaddingPKCS1MD5 , and kSecPaddingPKCS1SAH ) with "Standard ASN.1 padding will be done, as

问题 On iOS, the Certificate, Key, and Trust Services API contains the following padding types: kSecPaddingNone kSecPaddingPKCS1 kSecPaddingPKCS1MD2 kSecPaddingPKCS1MD5 kSecPaddingPKCS1SHA1 A user on the Apple CDSA mailing list says that "kSecPaddingPKCS1 [...] is the same as PKCS #1 1.5". The Certificate, Key, and Trust Services Reference annotates the latter three padding types ( kSecPaddingPKCS1MD2 , kSecPaddingPKCS1MD5 , and kSecPaddingPKCS1SAH ) with "Standard ASN.1 padding will be done, as

问题 Saving and auto-filing of username/password is a feature of most modern browsers. And the user can generally choose to disable this feature on a per domain basis. But is there a standard way for the site itself to prevent password caching? The emphasis here is cross-browser, so I would employ multiple parallel mechanisms if necessary. (I have seen caching be effectively disabled in the presence of non-standard login fields, eg, an extra hidden password field. But I'd rather not depend on side

问题 As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance. Closed 8 years ago . Locked . This question and its answers are locked because the question is off-topic but has historical significance. It is not

问题 I'm looking at the JSSE reference guide, I need to obtain an instance of SSLContext in order to create a SSLEngine , so I can use it with Netty to enable security. To obtain an instance of SSLContext , I use SSLContext.getInstance() . I see that the method is overridden multiple times, so I can chose the protocol and security provider to use. Here, I can see the list of algorithms that can be used. Which algorithm should I use to enable secure communication? Also, since it is possible to

问题 I use my PHP back-end to detect AJAX requests by checking for a value in $_SERVER['HTTP_X_REQUESTED_WITH'] . This gives me a reliable detection, making sure the request is made utilizing AJAX techniques. How can I make sure the request came from my own domain, and not an external domain/robot? www.example.com/ajax?true could allow anyone to make an AJAX call and cut the information. I could make sessions for everyone that enters my website normally, and then allow AJAX calls.. but that can be