Category : Safety

XSS (Cross-site scripting) XSS, cross-site scripting attack. SQL injection When accepting uncertain input content (e.g. third-party site messages, URL parameters, user-created text annotations, etc.), it is essential to verify the data before use and properly encode the data during presentation. Otherwise, malicious users may attack the website, and the lesser may only transfer irregular data, ..

Read more

Summary 1. Distributed security service orchestration concept 2. Sumeru’s Key Realization Ideas 3. Application scenarios Preface In the author’s understanding, one of the essence of security defense is to increase the attacker’s attack cost, especially the time cost. From the perspective of defense, how to discover potential security risks as early as possible and in ..

Read more

Introduction: Yixin has realized a set of safe data platform-quicksand platform, which integrates collection, analysis and storage, in combination with its own actual situation. This article mainly introduces the framework of quicksand platform, what optimization and improvement have been made compared with OpenSOC, and the experience summary of quicksand platform during landing. Preface OpenSOC is ..

Read more

Safety is a “bottomless pit”. No person in charge of safety in an enterprise will say that his system is 100% safe, and safety is not particularly good to measure and quantify, especially to quantitatively evaluate who is better than who and how much better. Sometimes I think, or feel confused, “with all these protective ..

Read more

Order This article describes how to customize AuthenticationEntryPoint Custom AuthenticationEntryPoint public class UnauthorizedEntryPoint implements AuthenticationEntryPoint { @Override public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException { if(isAjaxRequest(request)){ response.sendError(HttpServletResponse.SC_UNAUTHORIZED,authException.getMessage()); }else{ response.sendRedirect(“/login”); } } public static boolean isAjaxRequest(HttpServletRequest request) { String ajaxFlag = request.getHeader(“X-Requested-With”); return ajaxFlag != null && “XMLHttpRequest”.equals(ajaxFlag); } } By default, ..

Read more

Order This article describes how to customize spring security’s login page. Most of the information given online is outdated and is based on back-end template technology. It is not very clear. This article gives a way to separate the front and back ends by ajax login and return. Ajax return A total of 3 places ..

Read more

Order This article mainly studies the related scene and principle of two-dimensional code login. Scene The main scenes are as follows: App scan QR code login pc version system For example, WeChat web Edition will automatically log in to the Web Edition after scanning the two-dimensional code for confirmation on the premise of WeChat login ..

Read more

Order This article mainly talks about the prevention of session fixation attacks and spring security. session fixation attacks Session fixed attack is to obtain login status by exploiting loopholes that have no change in sessionId before and after login, and then obtain relevant information of users, etc. Servlet3.1 specification In the servlet3.1 specification, HttpServletRequest.java explicitly ..

Read more

Order This article will introduce how to use SwitchUserFilter to switch accounts. Filter order Various filter built into spring security: Alias Filter Class Namespace Element or Attribute CHANNEL_FILTER ChannelProcessingFilter http/intercept-url@requires-channel SECURITY_CONTEXT_FILTER SecurityContextPersistenceFilter http CONCURRENT_SESSION_FILTER ConcurrentSessionFilter session-management/concurrency-control HEADERS_FILTER HeaderWriterFilter http/headers CSRF_FILTER CsrfFilter http/csrf LOGOUT_FILTER LogoutFilter http/logout X509_FILTER X509AuthenticationFilter http/x509 PRE_AUTH_FILTER AbstractPreAuthenticatedProcessingFilter Subclasses N/A CAS_FILTER CasAuthenticationFilter N/A ..

Read more

Why do headlines always carry the keyword “API security”? Because I think I’d like to. In fact, this article and the previous one can both be regarded asThe Lazy Beginner-Level Chapter on PHP Encryption and Decryption (API Security Enhancement Chapter 1)“) only focuses on safety. If you didn’t read the last article, you must go ..

Read more