Search Results

Search found 13853 results on 555 pages for 'soa security'.

Page 97/555 | < Previous Page | 93 94 95 96 97 98 99 100 101 102 103 104  | Next Page >

  • How do web servers enforce the same-origin policy?

    - by BBnyc
    I'm diving deeper into developing RESTful APIs and have so far worked with a few different frameworks to achieve this. Of course I've run into the same-origin policy, and now I'm wondering how web servers (rather than web browsers) enforce it. From what I understand, some enforcing seems to happen on the browser's end (e.g., honoring a Access-Control-Allow-Origin header received from a server). But what about the server? For example, let's say a web server is hosting a Javascript web app that accesses an API, also hosted on that server. I assume that server would enforce the same-origin policy --- so that only the javascript that is hosted on that server would be allowed to access the API. This would prevent someone else from writing a javascript client for that API and hosting it on another site, right? So how would a web server be able to stop a malicious client that would try to make AJAX requests to its api endpoints while claiming to be running javascript that originated from that same web server? What's the way most popular servers (Apache, nginx) protect against this kind of attack? Or is my understanding of this somehow off the mark? Or is the cross-origin policy only enforced on the client end?

    Read the article

  • Does facebook store multiple password hashes for each user?

    - by loxxy
    I noticed that Facebook allows multiple variants of my own password : My password as it is. My password with first letter capitalized. My password with all letters capitalized. It is commonly known that passwords are stored as hashes. So my question is, does facebook store multiple hashes for each user? Since the hash of each variant should be completely different... Or am I missing something, here? And there may be more combinations, besides the one I observed as well. This is obviously done to provide a better user experience & they probably have a statistical explanation of people repeating these mistakes. But I could not help but wonder, is it worth to increase so many lookups (in their database) just to help the user type a wrong password? On top of this, they warn about the caps lock (even though they don't seem to care) :

    Read the article

  • Get root access for copying files to /usr/share/...?

    - by Vinaychalluru
    To be short, I want to copy a folder to a location /usr/share/screenlets/..... I don't know how to do it. I am using Ubuntu 10.04. I tried by logging in as root from terminal giving "su with my password". I even changed my user account type to ADMINISTRATOR by giving the root password when asked, yet, no use. Think all of you know that, even the option PASTE in the context menu's list in the folder "/usr/share/..." is INACTIVE. How can I copy those files?

    Read the article

  • Is it possible to configure Ubuntu as a software firewall?

    - by user3215
    I have some systems running on Ubuntu in the private IP range 192.168.2.0-255 . These systems are connected to a switch and the switch is connected to the ISP's modem. Neither the switch nor the modem support firewall options. I don't have any firewall device and I'm not willing to individually configure firewalls on all the systems (via gui/iptables). Is it possible to make an Ubuntu system into something like a software firewall, so that all the traffic/packets sent to or from the WAN(internet) would be allowed/denied based on its firewall rules?

    Read the article

  • Will using HTTPS hurt my site's SEO or other statistics?

    - by yannbane
    I've set up a WordPress blog. Since I have to log into it from many different locations/machines, I've also got an SSL certificate, and set up Apache to redirect HTTP to HTTPS. It all works, but I'm wondering whether that's an overkill. Since most people who go to my site don't have to log in, I'm starting to wonder whether HTTPS has some drawbacks. If so, should I look for a way to make HTTPS optional?

    Read the article

  • Microsoft Secret Event: New Tablet Unveiling?

    If you read the headline, you know what everyone thinks it will be: a new tablet computer, that Microsoft will manufacture from beginning to end. Apparently, the company believes it will be better able to compete against Apple if it controls both the hardware and the software. But why choose this location for the announcement? Wired thinks it makes sense if the tablet features Xbox live streaming. That would turn the humble device into something of a media machine. Speaking of the device itself, what kind of specs will this hypothetical tablet have? It's hard to say. Microsoft boasts software...

    Read the article

  • Making HTML5 videos stored on AWS S3 **difficult** to download (because I cant make it impossible)

    - by Jimmery
    I am building a website that hosts video's stored on AWS's S3 service. The videos are played thru a HTML5 player we have built. Ive just been asked to make sure "nobody can steal our video's". Now I know that if you really don't want something stolen, don't put it up on the internet. However I just need to secure these videos as good as possible, the videos need to at the very least resist someone going thru the source code and trying to download them manually. One option available to me is to completely rebuild the video player in flash. This is not ideal, for several reasons, notably because I would also then have to build an App for mobile devices to be able to view this site. So I am looking for other options. I have heard about using a token to make the file available only during certain times. I have heard of using a separate file to serve the videos that sits between the HTML5 page and the video file. I am also having a look at IAM, the Secure AWS Access Control, in the hopes AWS can solve this problem for me. Can anyone here recommend any of these options? Or perhaps suggest other options available to me? Any help would be greatly appreciated.

    Read the article

  • Is this buffer overflow working on Mac OSX? [migrated]

    - by cobie
    Was reading through some text and playing around with attempting to write past the size of an array in C i.e buffer overflow. The text indicates that whenever you attempt to write to say array[5] when the length of the array is 5 then you get a segmentation fault but I dont seem to be getting that When using the code below. The code actually runs. #include <stdio.h> #include <string.h> int main () { int i; int array[5] = {1, 2, 3, 4, 5}; for (i = 0; i <= 255; i++) { array[i] = 10; } int len = sizeof(array) / sizeof(int); printf("%d\n", len); printf("%d\n", array[254]); } On execution of the last statement, a 10 is printed. Am wondering whether this is a vulnerability or if there is something I am missing. I am running the code from iterm2 on a macbook pro.

    Read the article

  • Patch Tuesday Fixes, Valentine`s Scams

    Microsoft plans to release nine bulletins on Tuesday that cover 21 vulnerabilities across its wide portfolio of products. Of the nine bulletins, four have been tagged with the software giant's critical rating, meaning they should be given the utmost importance with regard to the overall patching process exercised by users and organizations. The four critical updates address vulnerabilities in Microsoft's Internet Explorer browser, its Windows operating system, and Silverlight. As for the remaining five updates, Microsoft has labeled them as being important. Those will cover issues foun...

    Read the article

  • Microsoft Patches Internet Explorer 9, Launches YourBrowserMatter

    Due to the critical status of the Internet Explorer 9 fix, any users with the recommended Windows Update setting of install updates automatically enabled should receive it by default. Microsoft urges users with automatic updates disabled to install the fix manually via Windows Update. IT administrators in charge of handling organizations are urged to do the same using their go-to software for managing patches in-house. Of the eight vulnerabilities targeted by the IE9 update, the most crucial make it possible for remote code execution to occur on PCs where users have visited certain affecte...

    Read the article

  • Microsoft Unveils Xbox SmartGlass

    SmartGlass won't be available to consumers until the fall, and if the reviews of the feature's capability are any indication, it's going to feel like a very long wait. SmartGlass lets you switch from watching something on your TV to watching it on your tablet or smartphone, and vice versa. But that's only the beginning. SmartGlass also lets developers turn smartphones and tablets into Xbox 360 controllers. Thus, if you're playing a sports-based game with your friends, you can enter your strategic plays into your smartphone, so he can't tell what your team is about to do. Or, with a baseball ga...

    Read the article

  • Protecting the integrity of a game state while minimizing amount of data sent

    - by espais
    I'm developing a game in PHP/jQuery, and naturally have to be wary of any sort of data coming from the client. At present, I have tables of data representing the map (2D roguelike), monsters, items, and player(s). Initially, my thought was to simply package it all in a JSON object and send it every game tick, however when actually looking at the data I realized that's quite a large packet to be sending. So, my question is what is a good approach for minimizing data sent to the client? Obviously I would need to figure out some way of validating whatever it sends back. Initially we'd hoped to do some minimal verification on the client-side, but each time we thought of one thing we could do it is immediately invalidated with tools like Firebug. Kind of an open question I realize, but we want to get this right before we move on with our implementation so we don't have to shoehorn in bugfixes later on.

    Read the article

  • Is the php method md5() secure? Can it be used for passwords? [migrated]

    - by awiebe
    So executing a php script causes the form values to be sent to the server, and then they are processed. If you want to store a password in your db than you want it to be a cryptographic hash(so your client side is secure, can you generate an md5 using php securely( without submitting the user:password pair in the clear), or is there an alternative standard method of doing this, without having the unecrypted pasword leaving the clients machine? Sorry if this is a stupid question I'm kind of new at this. I think this can be done somehow using https, and on that note if a site's login page does not use https, does that mean that while the databse storage is secure, the transportation is not?

    Read the article

  • How can robots beat CAPTCHAs?

    - by totymedli
    I have a website e-mail form. I use a custom CAPTCHA to prevent spam from robots. Despite this, I still get spam. Why? How do robots beat the CAPTCHA? Do they use some kind of advanced OCR or just get the solution from where it is stored? How can I prevent this? Should I change to another type of CAPTCHA? I am sure the e-mails are coming from the form, because it is sent from my email-sender that serves the form messages. Also the letter style is the same. For the record, I am using PHP + MySQL, but I'm not searching for a solution to this problem. I was interested in the general situation how the robots beat these technologies. I just told this situation as an example, so you can understand better what I'm asking about.

    Read the article

  • The server principal '<domain>\User' already exists. But it doesn’t

    - by simonsabin
    Interesting little situation occurred today, the person I was working with was trying to add a login to a server and was getting the following error. “The server principal '<domain>\User' already exists” They were using a command like this and couldn’t figure out why they were getting the error above because when they looked at the logins setup on the system the login definitely didn’t exist. CREATE LOGIN [<domain>\<user>] FROM WINDOWS WITH DEFAULT_DATABASE = [master] The...(read more)

    Read the article

  • secure offline PC storage accessible through javascript

    - by turbo2oh
    I'm attempting to build a browser-based HTML5 application that has the ability to store data locally on a PC (not mobile device) when offline. This data is sensitive and must be secure. Of course the trick is trying to find a way to be able to access the secure data with Javascript. I've ruled out browser local storage since its not secure. Could this be accomplished with a local database? If so, where could the DB credentials be stored? Javascript obviously doesn't seem like a good option to store them since its user-readable.

    Read the article

  • Good quality Secure Software Development Training [closed]

    - by Patrick
    Just had my annual appraisal and found out my company is willing to pay for training and exams etc! Woohoo (they kept that one quiet). I'm interested in doing a course on secure development techniques. Has anyone got any suggestions for good quality distance learning courses in secure development (I could probably get a couple of days off to attend a conference/ course if required)? We're mostly an MS .Net house but I have no particular allegiance to MS or any other programming language (though, obviously, C++ is the best language in the world). I have 12 years development experience working in (what are now) PCI:DSS environments, including designing and developing a key management system and I have some knowledge of basic attacks (XSS, injection etc). I would prefer a hard course I struggle with to a basic course I learn 3 things from (but hopefully get something right at my level). A quick google found these two course which look good: http://www.sans.org/course/secure-coding-net-developing-defensible-applications https://www.isc2.org/csslpedu/default.aspx I don't really know how to choose between them, and finding other courses isn't going to make that job any easier, so I thought I'd ask those who know. EDIT : Hmm, care to share the reason for your down vote, will help me learn how to use the site better...

    Read the article

  • Is having sensitive data in a PHP script secure? [closed]

    - by tkbx
    Possible Duplicate: What attributes of PHP make it insecure? I've heard that PHP is somewhat secure because Apache won't allow the download of raw PHP. Is this reliable, though? For example, if you wanted to password protect something, but didn't want to create a database, would something like $pass = "123454321"; be safe? Bottom line, is it safe to assume that nobody has access to the actual .php file?

    Read the article

  • Can a whitespace regex character be used to perform a javascript injection? [migrated]

    - by webose
    if I want to validate the input of a <textarea>, and want it to contain, for example, only numerical values, but even want to give users the possibility to insert new lines, I can selected wanted characters with a javascript regex that includes even the whitespace characters. /[0-9\s]/ The question is: do a whitecharacter can be used to perform injections, XSS,even if I think this last option is impossible, or any other type of attack ? thanks

    Read the article

  • Is the using of dirname(__FILE__) a good practice?

    - by webose
    looking at the code of Joomla I see that in the first line of the index, it defines the base path of installation with the dirname(FILE) is this a font of possible risk for the site, I mean if a non controlled error message show the internal path of the Joomla directory, because of, for example a failed include, can it be used to perform some kind of attack to the site ? If yes, is it convenient to use this function ? Any idea is welcome. Thanks

    Read the article

  • Windows 8: Paradigm Shift

    You've probably heard a lot about the loss of the Start button in Windows 8. While it isn't completely lost - you can still get to it via a convoluted path - its disappearance is merely a sign of the rethinking that went into the operating system's creation. Window 8's designers made certain assumptions while building the new system: Users will interact with the operating system predominantly through a touch interface. Users will do their computing on mobile devices, and may in fact use several different devices for the same purposes. They may even want to get work done on devices they do n...

    Read the article

  • Using System.Security.SecureString in .NET Remoting App?

    - by Beaner
    I am developing a Remoting application where a client looks up store specific information to login to a web server. It sets the user name and passwords in a class that stores the properties as System.Security.SecureString. I then try to pass the class with the login credentials to a server object that uses it to connect to the web host, get and some information back. When I call the server method I this error:Type 'System.Security.SecureString' in Assembly 'mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' is not marked as serializable. The class that contains the SecureStrings is marked as serializeable, and this was working while developing until I added the SecureString properties. Is there something I need to do to make this work, or am I going to have to change SecureString to String?

    Read the article

  • CC.NET Dashboard Error: Could not load type 'System.Security.Authentication.ExtendedProtection.Chann

    - by Leslie
    Late last week I upgraded CC.NET locally and on the build server. The build server is still fine, but locally I am now getting the following error: Exception Details: Exortech.NetReflector.NetReflectorTypeLoadException: Unable to load types from assembly System.ServiceModel, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089: Failed to load 1 of the 3612 types defined in the assembly. Exceptions: - Unable to load type: System.Security.Authentication.ExtendedProtection.ChannelBinding Exception: System.TypeLoadException: Could not load type 'System.Security.Authentication.ExtendedProtection.ChannelBinding' from assembly 'System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'. I'm afraid this started after a batch of Windows updates this morning. I had another two updates that won't run, 979909 and 982168 (I had an update that wouldn't run last month). Anyone else having any issues? Thanks!

    Read the article

  • wcf data service security configuration

    - by Daniel Pratt
    I'm in the process of setting up a WCF Data Services web service and I'm trying to sort out the security configuration. Although there's quite a lot of documentation out there for configuring WCF security, a lot of it seems to be outmoded or does not apply to my scenario. Ultimately, I am planning on managing authorization of operations via change interceptors. Thus, all I really need is the simplest way to permit a client to pass credentials along with a request and to be able to authenticate those credentials against either AD or an ASP.NET membership provider (I'd much prefer the latter unless it makes things much more complicated). I'm intending to manage encryption at the transport level (i.e. HTTPS). I'm hoping that the eventual solution does not involve a huge web.config. Likewise, I'd much prefer to avoid writing custom code for the purpose of authentication.

    Read the article

< Previous Page | 93 94 95 96 97 98 99 100 101 102 103 104  | Next Page >