Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>If you consider your user's addresses to truly be a secret, then yes you probably have some work to do:</p> <h1>XSS attacks</h1> <p>You need to be very careful about how you display user input. For example, if I say my name is <code>&lt;script&gt;alert('hello world')&lt;/script&gt;</code>, are you actually going to print that out in the website? If so, can then insert their own JavaScript into your application. <a href="http://www.thegeekstuff.com/2012/02/xss-attack-examples/" rel="nofollow">Here's an example of an XSS attack</a>, and <a href="http://en.wikipedia.org/wiki/Cross-site_scripting" rel="nofollow">Wikipedia</a> has more information. If attackers can insert custom JS, they can intercept secret user input like addresses or passwords or cookies.</p> <h1>HTTPS</h1> <p>When your web server sends its message back to the user, the message doesn't go directly to the user's computer. It first goes through intermediate computers in a relay race. If attackers control one of the computers in the middle of the relay race, they can modify the server's message and insert their own JS. Once again, the attackers win. To circumvent this, you'll need <a href="http://en.wikipedia.org/wiki/HTTP_Secure" rel="nofollow">HTTPS</a>, which is a protocol that among other things encrypts the message. You'll also need something called a certificate; <a href="http://www.startssl.com/" rel="nofollow">StartSSL</a> sells them affordably.</p> <p>Note that the attacker doesn't have to be some corporation or government sitting miles away to control an intermediate computer. It could be someone running <a href="http://getfirebug.com/" rel="nofollow">Firebug</a> on your school campus' unencrypted Wi-Fi network, for example.</p> <h1>But really</h1> <p>A better way to structure your web application is to never send the user address back to your server in the first place. One of the first rules of information security is that it's hard to get right; the more you can rely on other people's work the better. Instead, maybe keep a fixed list of landmarks in the JS code. Or use a public API provided by a service like Google Maps, which already runs over HTTPS.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload