This guide explains why and how to upgrade an HTTP website to HTTPS using free Let’s Encrypt certificates and the acme.sh script, covering installation, certificate generation via HTTP or DNS validation, deployment to Apache/Nginx, and automated renewal.
The article explains the vulnerabilities of plain HTTP, illustrates man‑in‑the‑middle attacks, shows why simple symmetric encryption is insufficient, and then details how HTTPS—built on SSL/TLS, asymmetric key exchange, and CA certificate validation—prevents these attacks, providing a comprehensive overview of secure web communication.
GitHub announced the removal of unnecessary cookies, reflecting GDPR-driven privacy shifts and showing how modern web platforms can reduce data collection while still tracking essential performance metrics without third‑party trackers.
The article explains a privilege‑escalation flaw in the ThinkCMF CMS built on ThinkPHP 5.0, demonstrates how to exploit it via crafted URLs to invoke arbitrary PHP functions such as phpinfo, and describes the official fix that adds strict controller name validation.
This guide explains why and how to migrate a website from HTTP to HTTPS by obtaining free Let’s Encrypt certificates, installing the acme.sh script, using HTTP or DNS validation, copying the certificates to the web server, and automating renewal and updates.
This article explains what XSS attacks are, demonstrates simple exploitation scenarios, and provides a comprehensive solution using the mica-xss library with Spring MVC, including dependency setup, request filtering, testing methods, and the underlying Jsoup‑based implementation.
This article provides a comprehensive overview of JSON Web Tokens, explaining their purpose, structure (header, payload, signature), key concepts such as JWS and JWE, the various claim types, encryption and signing algorithms, and practical usage considerations for secure web authentication.
This article explains the purpose, possible values, and security impact of the Sec-Fetch request headers introduced by the Fetch Metadata specification, showing how browsers automatically add them, how servers can use them to filter illegal requests, and providing practical policy examples and code snippets.
This article traces the evolution from early stateless web browsing to modern token‑based authentication, explaining how session management challenges led to centralized stores, their drawbacks, and how signed tokens using HMAC‑SHA256 provide a scalable, secure, and truly stateless alternative.
This article provides a comprehensive overview of Cross‑Site Scripting (XSS), explaining its definition, dangers, underlying mechanisms, classification into stored, reflected, and DOM‑based types, common injection vectors, and practical defense strategies, while also addressing common questions and resources for further learning.
The article explains why web applications must never trust client data, describes how PHP sessions are vulnerable to hijacking and fixation attacks, outlines typical attack vectors such as XSS, cookie theft, and brute‑force, and provides practical defense measures like HttpOnly cookies, token validation, and session regeneration.
Understanding SSL certificates, their role in securing web traffic, why trusted CAs are essential, the cost factors, free options like Let’s Encrypt, and the various validation types helps developers select the appropriate certificate and configure it properly, typically via Nginx, for robust HTTPS protection.
This article explains three practical methods for achieving Single Sign‑On in web systems—using a parent‑domain cookie, deploying a dedicated authentication center, and leveraging front‑end LocalStorage with iframe postMessage—to share session or token information across multiple domains.
This article explains the concept of Cross-Origin Resource Sharing (CORS), the same‑origin policy, how simple and preflight requests work, and demonstrates configuring a Koa server and client‑side settings—including credentials and header handling—to enable secure cross‑origin communication.
Microsoft announced that it will cease support for Internet Explorer 11 in Microsoft 365 applications, detailing a phased shutdown that began with Teams in 2020, ended Office 365 support in August 2021, and signals the browser's eventual disappearance despite its historical dominance and lingering security concerns.
This guide explains why and how to migrate an HTTP site to HTTPS by obtaining free Let’s Encrypt certificates using the acme.sh script, covering installation, HTTP/DNS/standalone validation methods, certificate installation, automatic renewal, and troubleshooting steps.
After gathering reconnaissance data in a penetration test, this article reviews seven popular web vulnerability scanners, outlining their core capabilities, typical usage scenarios, and visual screenshots to help security professionals choose the right tool for detecting SQL injection, XSS, file inclusion, and other common web flaws.
This article provides a detailed walkthrough of web penetration testing steps, extensive Q&A on common vulnerabilities such as SQL injection, XSS, CSRF, SSRF, file inclusion, privilege escalation methods, mitigation strategies, and interview preparation tips for security professionals.
This article explains the differences between Next‑Generation Firewalls and Web Application Firewalls, highlighting the additional protection that a WAF—especially F5’s solution—provides for complex web applications and why combining both technologies offers comprehensive security.
This article examines the prevalence of SQL injection attacks, presenting Imperva’s recent statistics, common attack vectors, real-world examples, and practical defenses such as prepared statements, input sanitization, and web application firewalls, while also offering Python code illustrations of secure and insecure database queries.
This article explains the stateless nature of HTTP, session and cookie mechanisms, the challenges of multi‑system authentication, and then details the concept, workflow, token handling, and step‑by‑step Java code for building a basic Single Sign‑On solution with login and logout support.
This article explains the fundamentals of authentication and authorization, the roles of credentials, cookies, sessions, various token types including access and refresh tokens, and details the structure, generation, and usage of JWTs, while comparing security considerations and distributed session sharing strategies.
This article explains the fundamentals of web security, outlines typical web architecture, classifies penetration testing approaches, enumerates common vulnerabilities such as SQL injection, XSS, file upload and deserialization, and discusses how attackers combine these flaws to launch advanced exploits.
This article examines the rise of web‑application firewalls, outlines common deployment challenges, compares several WAF operating modes—including bypass, layer‑2 transparent, and proxy architectures—and proposes load‑balancing strategies to achieve secure, high‑availability web services.
This article explains the fundamentals of HTTP session management, the limitations of cookie-based single-system login, and introduces Single Sign-On (SSO) concepts, including global and local sessions, token-based authentication, and provides step-by-step Java code examples for implementing SSO client and server components.
This article explains in plain language what HTTPS is, how it encrypts data using symmetric and asymmetric techniques, how it verifies server identity with digital signatures and certificates, and why these mechanisms keep web communications safe from eavesdropping and tampering.
This article explains PHP's htmlentities() function, detailing its signature, parameters, flag options, return behavior, and provides multiple code examples demonstrating how to convert characters to HTML entities and handle encoding nuances.
This article explains how HTTPS security depends on certificates, outlines the risks of certificate forgery, describes the certificate issuance process, and introduces Certificate Transparency and the Expect-CT header as mechanisms to detect and mitigate forged certificates.
This article explains why HTTPS is essential for protecting privacy, ensuring data integrity, and authenticating servers, describes the evolution of SSL/TLS, and walks through the handshake process that combines asymmetric and symmetric encryption to secure web traffic.
This article explains why HTTPS is necessary, describes symmetric and asymmetric encryption, illustrates the key exchange process, and outlines how HTTPS ensures secure communication by preventing eavesdropping, man‑in‑the‑middle attacks, and ensuring certificate trustworthiness.
Chrome 83 introduces Trusted Types for XSS protection, refreshed form controls with better touch and accessibility, stricter cross‑origin policies, Core Web Vitals metrics, a new memory‑profiling API, and an upgraded Native File System API with writable streams, all illustrated with code samples.
This article explains how HTTPS works by detailing the certificate verification and data transmission phases, the use of asymmetric and symmetric encryption, the role of Certificate Authorities, potential man‑in‑the‑middle attacks, browser validation steps, and why HTTPS does not fully prevent packet capture.
The article explains the fundamental differences between HTTP and HTTPS, outlines how HTTPS adds SSL/TLS encryption to the standard HTTP protocol, describes the step‑by‑step communication process—including certificate verification, key exchange, and encrypted data transfer—and compares ports, security, and connection details.
This article explores the limitations of traditional web vulnerability scanners and manual testing, proposes a proxy‑based architecture that captures real user requests for centralized analysis, demonstrates a demo implementation using Burp and custom scanners, and reflects on the design's strengths and remaining challenges.
This article explains how cookies and sessions compensate for HTTP's stateless nature, details their creation, types, and limitations, compares them with JSON Web Tokens, and provides guidance on choosing the appropriate authentication method for different application scales and security requirements.
This article explains the concepts of forward and reverse proxies, compares their operation and use cases, and shows how they differ in client configuration, security, and load‑balancing, providing clear examples and visual illustrations for practical understanding.
This tutorial explains how to install the Python captcha library and write a simple script to generate image captchas, then discusses using bulk‑generated captchas for machine‑learning training and web‑scraping applications.
VeryNginx, built on the lua_nginx_module, adds a powerful firewall, access statistics, and a web UI to Nginx, with clear installation steps, reverse‑proxy and static‑resource configuration examples, and customizable matching and response rules for security management.
This article presents a practical checklist for securing web applications, covering unit testing, access control, change tracking, admin privilege management, least‑privilege principles, remote redundancy, monitoring, encryption, automated security scanning, and SQL injection prevention, offering actionable guidance for developers.
This guide introduces Spring Security fundamentals, explaining authentication and authorization concepts, the core interfaces such as AuthenticationManager and AccessDecisionManager, how to configure them with Spring Boot, customize filter chains, apply method‑level security, and handle thread‑bound security contexts for asynchronous processing.
This article explains several typical web security threats—including XSS, SQL injection, request forgery, CSRF, hotlink protection, upload/download vulnerabilities, and whitelist/blacklist misuse—while providing concrete Java code examples and practical defense techniques to mitigate each risk.
This article explains the background, architecture, and step‑by‑step authentication flow of Single Sign‑On systems, covering the classic CAS framework, Java implementation details, and Taobao's extended SSO design with code examples.
This article explains the concept, types, lifecycle, and security considerations of HTTP cookies, illustrates how browsers store and send cookies, describes the cookie‑jar model, domain handling, and related CORS mechanisms, and provides practical JavaScript examples.
This article explains the fundamental differences between cookies, sessions, and tokens, outlines how each works in web authentication, compares their security and performance trade‑offs, and offers practical guidance on storage, encryption, and best practices for implementing token‑based authentication.
This article compares Spring Security and Apache Shiro, explaining their authentication and authorization features, filter‑chain mechanisms, RBAC model, and related security concepts to help Java developers choose the right framework for production‑grade web applications.
This article explains how to protect communication in hybrid Android applications by using native C/C++ encryption libraries, secure HTTPS handling, zip‑based Web resource protection, and anti‑tampering/replay mechanisms, providing practical code examples and architectural guidance for developers.
This guide explains why web log analysis is essential for security, demonstrates how to parse Apache logs, distinguishes normal from malicious requests, and provides practical Secsoso commands for business behavior statistics, traffic monitoring, and detecting attacks such as CC, SQL injection, file inclusion, and XSS.
The article explains how the 58 Group’s cloud account platform consolidates multiple account systems and provides a unified SDK, detailing cross‑domain challenges, same‑origin policy, and practical solutions such as JSONP, iframe proxies, independent domains, 302 redirects, and CORS to ensure secure, efficient login integration across web, app, and PC clients.
The article explains why CORS distinguishes between simple requests—limited to GET, HEAD, POST with specific headers and content types—and preflighted requests, describing the server‑side rationale, the mechanics of preflight, and why avoiding preflight for simple requests simplifies cross‑origin interactions.
This article explains the stateless nature of HTTP, the session mechanism used for single‑system login, the challenges of multi‑system applications, and how Single Sign‑On (SSO) solves them by introducing a central authentication server, token‑based authorization, and coordinated logout, with concrete Java code examples.
This article explains how traditional session‑cookie authentication creates scalability, security, and deployment challenges in front‑end/back‑end separated web applications, and how JSON Web Tokens (JWT) provide a compact, self‑contained, stateless solution while also outlining their advantages and limitations.
This article examines the security challenges of mobile web marketing pages, explains how bot-driven API abuse harms users and businesses, and presents a comprehensive solution involving front‑end behavior tracking, risk‑control services, token‑based HTTPS communication, data encryption, and JavaScript obfuscation to protect against automated attacks.
HTTPS combines HTTP with SSL/TLS encryption to protect data transmission, involving DNS lookup, TCP three‑way handshake, TLS negotiation with certificates and symmetric keys, and finally encrypted HTTP communication, while the article also explains TCP’s four‑way termination and the overall request‑response flow.
This article explains what JWT (JSON Web Token) is, its compact self‑contained structure, how it replaces traditional session‑cookie authentication, and discusses its benefits, limitations, and practical usage in stateless web security.
This article explains the security challenges of mobile web activity pages in e‑commerce, outlines a risk‑control workflow that includes human‑verification algorithms, token‑based communication protection, data encryption, and front‑end code obfuscation, and provides a step‑by‑step technical solution to mitigate abuse and improve user experience.
This article explains the fundamentals of injection attacks, focuses on SQL injection as part of the OWASP Top 10, classifies injection vectors by data type, submission method, and impact, and provides concrete examples and defensive measures to protect web applications.
HTTPS secures web communication by combining symmetric and asymmetric encryption, digital certificates, and signatures, addressing HTTP’s confidentiality, integrity, and authenticity flaws; the article explains these cryptographic concepts, the SSL/TLS handshake steps, and when HTTPS is appropriate despite its performance overhead.
To protect mobile web activity pages such as coupons and lotteries, the article proposes a layered security approach that combines professional risk‑control services, custom human‑verification logs, token‑based HTTPS signing, data encryption, and aggressive front‑end JavaScript obfuscation to block automated abuse while preserving user experience.
This tutorial explains the principles of signature‑based web application firewalls, shows how to identify their presence using crafted XSS payloads, and provides step‑by‑step Python scripts to automate detection, test multiple payloads, and attempt bypass techniques.
This article explains how the Hunter system integrates automated web vulnerability scanning—including black‑box testing, browser‑extension traffic capture, and distributed analysis engines—into CI/CD workflows to detect security risks early, improve efficiency, and reduce manual effort.
This article explains how using target="_blank" on links can expose pages to phishing attacks via the opener object, compares same‑origin and cross‑origin behaviors, and provides practical mitigation techniques such as Referrer‑Policy, rel="noreferrer" and rel="noopener" with fallback JavaScript.
This article explains why database injection remains a critical security threat, illustrates how attackers exploit vulnerable web applications using manual techniques and automated tools such as sqlmap, and provides comprehensive defensive measures spanning secure coding, database hardening, web‑server configuration, WAF deployment, and log‑analysis to protect sensitive data.
This guide outlines practical techniques—ranging from analyzing debug‑mode error pages and hidden CSRF tokens to inspecting admin static files and third‑party module footprints—to reliably fingerprint Django‑based web applications during black‑box security assessments.
This article explains why HTTPS is essential by comparing HTTP’s performance drawbacks, detailing its security vulnerabilities, and describing the cryptographic mechanisms—including TLS, symmetric and asymmetric encryption, certificates, and HMAC—that HTTPS employs to protect data and enable modern features like HTTP/2.
This article explains the background and risks of Cross‑Site Request Forgery (CSRF) attacks, illustrates real‑world exploitation scenarios, and provides comprehensive defense techniques such as origin/referrer checks, CSRF tokens, double‑cookie verification, SameSite cookies, and best practices for developers and security teams.
This article explains the fundamentals of Cross‑Site Scripting (XSS) attacks, presents real‑world examples, classifies stored, reflected, and DOM‑based XSS, and provides comprehensive prevention, detection, and mitigation techniques for frontend developers, including proper escaping, whitelist schemes, CSP, and secure coding practices.
CSRF attacks trick a logged‑in user’s browser into sending authenticated requests to a target site, enabling unauthorized actions, so front‑end developers must mitigate them by enforcing same‑origin checks, using anti‑CSRF tokens or double‑cookie verification, and configuring SameSite cookie attributes to block cross‑site requests.
Google is exploring a radical overhaul of URLs to improve readability, mobile usability, and security, citing issues with long, obfuscated links that hinder user trust and enable phishing, while Chrome engineers discuss potential UI changes and the challenges of transforming this decades‑old web standard.
This article explains the fundamentals of CAS-based Single Sign‑On, detailing the roles of CAS Server and Client, the ticket‑granting process, login and logout flows, session handling, and how global and local sessions interact to provide seamless authentication across multiple web applications.
This article explains the three main types of XSS attacks, provides concrete examples, outlines common remediation techniques such as proper HTML escaping, and highlights seven practical considerations for functional regression testing and secure server‑side and client‑side handling.
This article explains how browsers handle CORS by distinguishing simple and non‑simple requests, the conditions that trigger a preflight OPTIONS request, the required Access‑Control response headers, and how server‑side implementations—such as Java interceptors—manage these interactions.
This article dispels seven widespread HTTPS misconceptions—from caching and certificate costs to speed and IP requirements—explaining how browsers handle secure caching, affordable SSL options, wildcard certificates, migration steps, performance impacts, and why HTTPS is essential beyond login pages.
This article explains how penetration testers can identify and bypass signature‑based Web Application Firewalls using Python, covering WAF fundamentals, payload creation, detection of common firewalls like Mod_Security, and techniques such as brute‑force payload testing and HTML entity encoding to evade filters.
The article explains anti‑crawling concepts, current challenges, classification of techniques (client‑side, middle‑layer, server‑side, real‑time vs. non‑real‑time), and argues for a systematic, platform‑driven approach to continuously adapt strategies against evolving web scrapers.
This article explains why plain‑HTTP traffic is vulnerable, outlines encryption tricks, describes file‑path traversal, DNS spoofing, proxy risks, HTTP error codes, POST data formats, cookie security, CSRF, XSS, JSONP, and CORS, and provides practical mitigation techniques for each threat.
The article explains how importing third‑party images, scripts, and especially CSS can be abused to steal data, manipulate page content, hide elements, perform keylogging, trigger unwanted requests, and ultimately compromise user security, urging developers to trust only verified resources.
This article walks through an eight‑step JWT authentication flow, explaining how to securely transmit user IDs via cookies, verify tokens on each request, compare JWT with traditional session storage, and configure domain‑wide cookies for single sign‑on across subdomains.
This article introduces the most common web application vulnerabilities—including SQL injection, XSS, CSRF, file upload, file inclusion, clickjacking, and URL redirect—explaining how attackers exploit them and the potential impacts on websites and their users.
This article explains the fundamentals of HTTPS, covering why encryption is needed, how symmetric and asymmetric cryptography work together, the role of certificates and public‑key infrastructure, and the performance impact of the TLS handshake, all through a concise Q&A format.
This article explains what CSRF (Cross‑Site Request Forgery) is, illustrates its attack model, details the potential damages, walks through the attack process with examples, and outlines practical detection methods and multiple defense techniques including token‑based protection and referer checks.
The guide details how a SaaS platform can transition to full‑site HTTPS by explaining the TLS handshake, inventorying static assets, domains and third‑party services, using protocol‑relative URLs, configuring redirects and CSP, testing securely, and addressing common migration challenges such as legacy references and external dependencies.
This article explains the Central Authentication Service (CAS) as an open‑source enterprise SSO solution, detailing its features, authentication flow, architecture, proxy mode, and security mechanisms that rely on SSL and secure tickets.
This article explains the mechanics of Cross‑Site Request Forgery (CSRF) attacks—including a step‑by‑step example of password‑change exploitation—lists the four essential conditions for a successful CSRF, introduces the related Server‑Side Request Forgery (SSRF) threat, and provides practical mitigation strategies for both vulnerabilities.
This article explains what CORS is, why browsers enforce same‑origin policies, details the essential HTTP headers involved, and offers practical solutions—including server‑side configuration, temporary browser work‑arounds, and proxy setups—to resolve cross‑origin request errors.
This guide provides a deep dive into Spring Security's architecture, explaining how authentication and authorization are separated, how the AuthenticationManager and AccessDecisionManager work, how web filter chains are organized, and how to apply method‑level security and thread‑local context handling in Java applications.
This article demystifies HTTPS by explaining its underlying encryption, signing, and certificate mechanisms, illustrating how zero‑knowledge proof concepts secure identity verification, and providing practical guidance on upgrading from HTTP, configuring certificates, capturing traffic with Fiddler, and understanding session recovery and performance considerations.
This article describes Ctrip’s evolution from rule‑based web attack detection to a Spark‑powered machine‑learning system, detailing the Nile architecture, data collection, feature engineering with TF‑IDF, model training, evaluation metrics, online deployment, and future enhancements for information security.
This article describes how Ctrip's security team replaced rule‑based web attack detection with a Spark‑powered machine‑learning pipeline, detailing the system architecture, feature engineering using TF‑IDF, model training, evaluation, online deployment, and future enhancements to improve detection accuracy and performance.
The OWASP Top 10 project ranks the ten most critical web application security risks by analyzing threats, vulnerabilities, technical impact, and business consequences, offering developers, testers, and security teams actionable guidance to improve risk awareness and implement focused protection measures.
During an external penetration test I discovered an Oracle Advanced Support service, reverse‑engineered its JavaScript endpoints, crafted GET and POST requests to create and execute named SQL statements, and ultimately extracted database version, user information, and password hashes, highlighting a critical web‑application flaw.
The article introduces major web security threats such as XSS, injection, CSRF, explains their mechanisms with examples, and presents defensive measures including input sanitization, HttpOnly cookies, web application firewalls, and encryption methods like hashing, symmetric and asymmetric cryptography.
This article explains why HTTPS is essential, compares third‑party and self‑managed TLS options, and provides a complete Go implementation using Let’s Encrypt’s autocert library, including code for certificate handling, HTTP‑to‑HTTPS redirection, DNS requirements, and caching strategies.
This guide explains why plain HTTP is insecure, introduces SSL/TLS fundamentals, compares certificate types, and provides step‑by‑step instructions for configuring HTTPS on a web server (including Nginx redirects), while highlighting performance impacts and testing considerations.
This article describes Ctrip's automated web vulnerability detection system, detailing the shift from active to passive scanning, the distributed architecture using traffic mirroring, message queues, Redis, and MySQL, and the processes for data collection, de‑duplication, scanning, and vulnerability management.
This article recounts Stack Overflow’s multi‑year migration to HTTPS, detailing technical hurdles such as handling hundreds of domains, certificate management, HTTP/2 performance, HAProxy configuration, CDN integration, and the operational practices that ensured a secure and high‑performance global platform.
This article explains the fundamental risks of plain HTTP, introduces HTTPS as a solution, and walks through the concepts of asymmetric encryption, digital signatures, certificate authorities, and the TLS handshake process using a relatable story of Bob and his friends to illustrate secure communication.
This article explains the fundamentals of the browser same‑origin policy, defines what constitutes an origin, describes the restrictions it imposes, and surveys practical cross‑origin solutions such as dynamic tags, JSONP, CORS, postMessage, document.domain, window.name, fetch, and WebSocket.
This article recounts the development of Ctrip's graphical captcha system, describing its early .NET‑based implementation, the challenges encountered such as uniform difficulty, limited data collection, and poor user experience, and how successive redesigns—including multilingual support, adaptive difficulty, and slider‑plus‑character selection—balanced security and usability.
This article explains the concept and architecture of an unmanned customer service system, outlines its security testing strategy—including interface, vulnerability scanning, privilege and data protection tests—describes database and web security methods, and provides practical command examples and tool recommendations.
The article reexamines web security as a holistic system, explaining attack goals, targets, and methods across browsers, transport channels, and servers, and shows how coordinated front‑end and back‑end defenses such as encryption, signing, and input validation are essential to protect the whole web stack.
