- CSRF and XSS network attack and defense?
A:
CSRF: Cross-site request forgery, can be understood as the attacker steal the user’s identity, send the malicious requests in the name of the user, such as user login a web site, immediately in another TAB page views the attacker used in the manufacture of attack site, require access to this site just landing site, and send a malicious request, this time CSRF is produced, For example, the attack site uses a picture, but the link of the picture can modify the database, then the attacker can operate the database in the name of the user. In terms of defense methods, use the verification code, check the REFER in the HTTPS header, and use the token
XSS: Cross-site scripting attacks, it is said the attacker by injecting malicious scripts, attacking when users browse the web, such as cookies, or other user identity information, can be divided into storage type and reflection type, storage type is an attacker input some data and stored in the database, to attack other visitors to see, Reflective words are not stored in the database, often shown as the attack code in the URL address of the request parameters, defensive words for cookie set httpOnly attribute, check user input, special character filtering. \
2. How to view the performance of the website?
A:
There are generally two ways to detect page load time, one is passive measurement: Is in the page is detected in a script or probes, when user access to web pages, probes collect data and analyze them back to the database automatically, another way of active monitoring, namely active structures, the distributed controlled environment, the simulation user access requests a page, take the initiative to collect performance data and analysis, on the detection precision, professional third-party tools better effect, Take the performance geek. \
3. Introduce the HTTP protocol (features).
A:
HTTP is a communication protocol based on TCP/IP to transfer data (HTML files, image files, query results, etc.) HTTP is an object-oriented protocol belonging to the application layer, because of its simple and fast way, suitable for distributed hypermedia information system. It was put forward in 1990. After several years of use and development, it has been constantly improved and expanded. Currently the sixth version of HTTP/1.0 is used in the WWW. The standardization of HTTP/1.1 is under way, and the proposal of HTTP-NG(Next Generation of HTTP) has been put forward. The HTTP protocol works on a client-server architecture. As the HTTP client, the browser sends all requests to the HTTP server, namely the WEB server, through the URL. The Web server sends response information to the client based on the received request. \
4. Enter URL to page load display complete what happens?
A:
The DNS
A TCP connection
Sending an HTTP request
The server processes the request and returns HTTP packets
The browser parses the rendered page
End of connection \
5. Talk about the cognition of cookies and Session. What are the limitations of cookies?
A:
1. Cookie data is stored on the client’s browser, and session data is stored on the server.
2. Cookies are not very secure. Others can analyze cookies stored locally and cheat cookies.
3. The session is stored on the server for a certain period of time. Cookies should be used to reduce server performance when the number of accesses increases.
4. The data saved by a single cookie cannot exceed 4K. Many browsers limit the maximum number of cookies saved by a site to 20.
6. Describe XSS and CRSF attacks? Defense methods?
A:
XSS, or Cross Site Scripting, occurs at the browser level of the target user and occurs when rendering the DOM tree results in JS code that is not executed as expected. The main method of most XSS attacks is to embed A piece of JS code on a remote or third-party domain. This js code is actually executed in the scope of the target website.
CSRF (Cross Site Request Forgery) literally means to forge a Request on another Site. In technical terms, a CSRF attack occurs when a victim visits a website whose Cookie has not yet expired, and the attacker sends the victim a forged link and tricks the victim into clicking on it.
The general idea of XSS defense is to filter the input (and URL parameters) and encode the output. That is, all the submitted content is filtered. Parameters in the URL are filtered to remove the content that may lead to script execution. It then htML-encodes the content that is dynamically output to the page so that the script cannot be executed in the browser. Although filtering of input can be bypassed, a large proportion of XSS attacks are still intercepted.
There are three main defense strategies against CSRF attacks: verifying HTTP Referer field; Add token to request address and verify; Customize and validate properties in HTTP headers. \
7. Which headers are specific to caching?
A:
There are two types of caching: strong caching and negotiated caching, depending on the header content of the response.
Strong cache fields include Expires and cache-Control. Cache-control takes precedence over Expires if both exist.
The negotiation cache fields are last-modified/if-modified-since, Etag/ if-none-match
8. What fields can be set for cookies?
A:
The name field is the name of a cookie.
The value field is the value of a cookie.
The domain field is the domain name from which this cookie can be accessed.
For a non-top-level domain name, such as a second-level domain name or a third-level domain name, the domain of the cookie can only be a top-level domain name or a second-level domain name or a third-level domain name. Cookies of other second-level domain names cannot be set; otherwise, cookies cannot be generated.
Top-level domain The domain can only be a top-level domain, but cannot be a second-level domain or a third-level domain. Otherwise, cookies cannot be generated.
A second-level domain name can read cookies of a top-level domain name or its own domain, but cannot read cookies of other second-level domain names. Therefore, to share cookies among multiple secondary domain names, you need to set the domain to the top-level domain, so that all secondary domain names or the value of this cookie. A top-level domain can only obtain the cookie of a top-level domain. Other domains whose domains are set to second-level cannot be obtained.
The path field is the page path from which this cookie can be accessed. For example, if domain is abc.com and path is /test, only pages under /test can read the cookie.
The Expires/max-age field specifies the timeout period for this cookie. If the value is set to a time, the cookie becomes invalid when the time is reached. If this parameter is not set, the default value is Session, which means that the cookie will expire with the Session. This cookie expires when the browser closes (not the browser TAB, but the entire browser).
Size field The Size of this cookie.
The HTTPonly property of the HTTP field cookie. If this property is true, the cookie is only contained in the HTTP request header and cannot be accessed through document.cookie.
The Secure field sets whether this cookie \ can only be passed over HTTPS
\
9. Besides cookies, what other storage methods are available? What’s the difference between cookie and localStorage?
A:
Also localStorage, sessionStorage, indexdDB, etc
The difference between cookie and localStorage
Cookie data is always carried (even if it is not needed) in same-origin HTTP requests, i.e. cookies are passed back and forth between the browser and the server
Cookie data also has the concept of a path, which can be restricted. Cookies belong to a specific path
The storage size limit is also different, cookie data cannot exceed 4K, and because cookies are carried with each HTTP request, cookies are only suitable for storing very small data, such as call tokens.
LocalStorage, while limited in size, is much larger than cookie, up to 5M or more
LocalStorage is always valid and is always saved when a window or browser is closed, so it is used for persistent data; Cookies only remain valid until the set cookie expiration time, even if the window and browser are closed. \
\
10. Are you using HTML5 and CSS3 a lot? Are you aware of their new properties? Have you ever used it in a project?
A:
HTML 5:
1) Add and delete labels
Header P footer Aside nav main article figure
The content element Mark highlights progress
New form control calander Date Time Email URL Search
New input type color date datetime datetime-local email
Removed the outdated big Font Frame Frameset tag
2) Canvas drawing, supporting inline SVG. Support MathML
3) Audio video source Embed track
4) Local offline storage. List the files that need to be stored locally offline in a manifest configuration file
5) Web storage. LocalStorage and SessionStorage
CSS 3:
CSS3 border such as border-radius, box-shadow, etc. CSS3 background such as background-size, background-origin, etc. CSS3 2D, 3D conversion such as transform; CSS3 animation, such as animation.
Note: the answers are for reference only
Follow the public account, the background reply “Java Advanced advanced”, free access to the full set of Java advanced advanced materials (distributed + micro services + technical documents + resume template)