I'm just getting started with Ruby on Rails development and I have a question concerning source code "privacy". From what I know so far (i have not done a deployment yet, only used RoR in a local development environment), that when a RoR application is deployed, all the source code is "visible" on the server? How can I protect my code;...
According to wikipedia: http://en.wikipedia.org/wiki/Transport_Layer_Security Seems like TLS is a replacement to SSL, but most websites are still using SSL? ...
i have a question about nonce. ok i undertstand its to prevent replay attacks but what happens if the hacker somehow got the nonce and uses it before the user does? ...
Many lost password workflows usually result in a page which is reached by a temporary link emailed to the user. This link then takes them to a page that asks for a new password. Upon entering the new password should a user be forced to logon manually, or should the password reset page authenticate the user automatically which would redu...
I am creating a large web application with Zend Framework 1.10. A am new in Zend Framework(1 month experiance). Can you explain me how to create a admin module in the best way?(with own authentication). How to make this with good security? Thanks a lot. ...
I have found this link: http://stackoverflow.com/questions/1331887/detect-antivirus-on-windows-using-c However when I try this code in visual c# express edition 2008 it says : Error 1 The type or namespace name 'ManagementObjectSearcher' could not be found (are you missing a using directive or an assembly reference?) C:\Users\Andy\D...
If one needs to create an office website (that serves as a platform for clients/customers/employees) to login and access shared data, what are the security considerations. to give you some more detail, The office portal has been developed in django/python and hosted through GAE. Essentially, the end point comes with a login/password to...
I've seen some websites that can run code from the browser, and the code is evaluated on the server. What is the security best-practice for applications that run user-contributed code? Besides of accessing and changing the server's sensitive information. (for example, using a Python with a stripped-down version of the standard library) ...
I'm working on a python script that stores ssh passwords only during the current session. What I'm doing is declaring a class variable credentials = {}. When the script needs access to a specific server, it checks in credentials to see if credentials['server'] exists. If it does, it uses the password there, if it doesn't, it prompts the ...
Precondition: There's a web application that leverages ASP.NET security model. There's also an Active Directory (AD) integration component. It provides AD users and roles as if those are application's own users and roles. The relations like "is in role" between AD user and AD role are stored in AD domain, of course, but are cached by the...
Is there any C# code/classes/open-source/tools that is recommended for adaptive authentication? Some functions of our app utilize a Captcha to avoid spamming or inappropriate behavior, which unfortunately also slows down our genuine users. I would like display the Captcha only if certain parameters look 'shady', such as unusual IP addre...
I've seen the outcomes of certain hacking competitions yield varied results and the argument over which OS is currently more secure has never seemed to go beyond an anecdotal level. I currently split my development (PHP, MySQL web applications which handle sensitive transcript information, among others) 50% between OSX Snow Leopard and ...
My understanding of a message digest is that it's an encrypted hash of some data sent along with the encrypted data so you may verify that the data has not been tampered with. What is the difference then between this and message authentication codes (MAC) and hash MACs (HMAC)? ...
I'm fetching data from different RSS / ATOM feeds and sometimes the HTML data I receive contains HTML tags but they dont have close tags or some other issues and it screws up the page layout / styling. Somethings there is class name / id clash. Is there any way to sanitize it? If anybody can point me to some reliable Javascript / Java ...
Legacy application (win32 clients + centralized db) has 40+ installations in a company & lacks the ability to be extended by plugins. Legacy authentication system relies on computer name, user name & user SID (there is no single DOMAIN server in a company, there are dozens of workgroups). I'm going to build stand-alone intranet site th...
I have modularized a large Grails project into several plugins and want to share access to the spring security plugin to manage authentication across my project - is there an easy way to do this? I'm not sure how to share access to core project plugins from sub plugins ...
Hello everyone, I'm trying to view files found over HTTPS reasonably securely on Android ("reasonably" here means "not on the SD card"). I can't seem to find anything in the documentation that seems to answer this. My current app prototype downloads the file from the server and puts it somewhere (currently, the SD card), and then laun...
Would it be possible for me to build an application that enables people to encrypt call coming to me with my public key and then for me to decrypt the call data at my end using my own private key. This way I basically have a more secure communication channel which I am assuming because RSA is hard to crack would be difficult to monitor. ...
Hi! I am using BigCouch which is a very good implementation of scalable CouchDB cluster. But it has a small problem - it doesn't support CouchDB 1.0-style Security features very well. So it must stay in the Admin Party mode. What are the options to secure a CouchDB instance in the Admin Party mode. Each user should have their own datab...
I have a site which will show sensitive information. I am using Anti Forgery Tokens etc to protect against XSRF in POSTS. However I am worried about someone being able to view sensitive info from a GET. What is the recommended practice for protecting read only data sent via a GET in .Net MVC 2? ...