Introduction

There is a very common feature in many websites, which is redirection.

For example, if a page requires permission to view but the user has not logged in yet, the user will be redirected to the login page first, and then redirected back to the original page after logging in.

For instance, suppose there is a social networking site and to view a personal profile, one needs to log in. If Ming’s personal profile URL is https://example.com/profile/ming, then as a visitor, when I click on it, I will be redirected to the login page with the original URL as a parameter:
https://example.com/login?redirect=https://example.com/profile/ming

After successful login, the website will redirect me to the original page based on the value of redirect.

Although it seems like a small feature, there are actually many security issues to consider behind it.

Read More

Introduction

During the past year, I have conducted several teaching experiments in my spare time, hoping to improve my teaching materials through continuous teaching and gain some insights from student feedback.

When conducting these teaching experiments, I often think about which existing services can reduce my workload. After all, as an engineer, I want to automate some trivial tasks, and the time saved in the long run is considerable.

Half a year ago, I made my first attempt and shared my experience here: Using Github Classroom and Travis CI to Build a Homework Grading System. After having an automated homework grading system, it did save me a lot of trouble.

This time, I want to share an automated sign-in system that I implemented in about one or two days two weeks ago.

Read More

Introduction

Recently, I encountered some cases of CSRF and took the opportunity to study it thoroughly. After in-depth research, I found that this attack is actually quite scary because it is easy to overlook. Fortunately, some frameworks now have built-in CSRF defense functions that can be easily enabled.

However, I still think it is necessary to understand what CSRF is, how it attacks, and how to defend against it. Let’s start by briefly introducing it!

CSRF is a type of attack on the web, which stands for Cross Site Request Forgery. Don’t confuse it with XSS, they are two different things. So what is CSRF? Let’s start with an example of my own.

Read More

Introduction

Redis is an in-memory key-value database, often used for caching data to reduce the load on the backend database. This article will briefly introduce some of the useful features of Redis and where it can be applied.

Read More

(Original post published at: http://blog.techbridge.cc/2016/04/23/fast-restful-nodejs-api-backend/)

Introduction

Some websites today use the Single Page Application approach, where the backend only provides APIs for the frontend to fetch data, achieving complete separation of the frontend and backend. There are many choices for the frontend, you can use Angular, Ember.js, or React + Redux. As for the backend API, it must conform to a fixed format to make it easier for frontend developers to fetch data. And this “fixed format” is most commonly known as our focus today: RESTful.

Read More