IT |
ITmedia 総合記事一覧 |
[ITmedia News] 納税用QRコードを誤掲載 大阪・泉南市 自動車会社向け決済に |
https://www.itmedia.co.jp/news/articles/2105/17/news043.html
|
itmedia |
2021-05-17 00:25:00 |
python |
Pythonタグが付けられた新着投稿 - Qiita |
動画を撮り回すためのプログラム.py |
https://qiita.com/wanko-soba/items/ffde1caddd96b65515b1
|
そのため、今後はそういった操作を省けるようなプログラムを書いて、もっと効率的かつ使いやすくしたいと思いました。 |
2021-05-17 00:55:03 |
js |
JavaScriptタグが付けられた新着投稿 - Qiita |
素人がGW中に履歴書作成ウェブアプリを作ってみたよ |
https://qiita.com/bonji/items/dab124e871a1a154beb6
|
作った履歴書はHTML、PDF、印刷が可能です。 |
2021-05-17 00:47:03 |
Program |
[全てのタグ]の新着質問一覧|teratail(テラテイル) |
怪しいサイトの調査方法。WHOIS、CloudFlareでのIP等の情報秘匿、について教えてください。 |
https://teratail.com/questions/338676?rss=all
|
【質問①】ドメインから調べて、WHOIS情報は以下のように出ています。 |
2021-05-17 00:45:27 |
Program |
[全てのタグ]の新着質問一覧|teratail(テラテイル) |
Android11でのファイルピッカー |
https://teratail.com/questions/338675?rss=all
|
Androidでのファイルピッカーお世話になります。 |
2021-05-17 00:35:39 |
Program |
[全てのタグ]の新着質問一覧|teratail(テラテイル) |
Java:1つのファイルで複数のpublicクラスを記述するとエラーになる理由 |
https://teratail.com/questions/338674?rss=all
|
|
2021-05-17 00:35:28 |
Program |
[全てのタグ]の新着質問一覧|teratail(テラテイル) |
Cordova10にアップデートしてからAjaxでCORSのエラー |
https://teratail.com/questions/338673?rss=all
|
CordovaにアップデートしてからAjaxでCORSのエラー概要Cordovaで動作していましたが、Cordovaにアップグレードしたら、動作しなくなりました。 |
2021-05-17 00:21:04 |
Program |
[全てのタグ]の新着質問一覧|teratail(テラテイル) |
05/16のAtCoderRegularContestのA問題について |
https://teratail.com/questions/338672?rss=all
|
のAtCoderRegularContestのA問題について今回競プロを初めてやりました。 |
2021-05-17 00:18:21 |
Program |
[全てのタグ]の新着質問一覧|teratail(テラテイル) |
【Java】ラムダ式(関数型インターフェース)が引数のメソッドの挙動がよくわからない |
https://teratail.com/questions/338671?rss=all
|
【Java】ラムダ式関数型インターフェースが引数のメソッドの挙動がよくわからないラムダ式関数型インターフェースが引数のメソッドの挙動がよくわかりません。 |
2021-05-17 00:13:42 |
Program |
[全てのタグ]の新着質問一覧|teratail(テラテイル) |
VBAでプッシュ通知させる設定がググってみても見つかりません。 |
https://teratail.com/questions/338670?rss=all
|
通知 |
2021-05-17 00:05:02 |
Ruby |
Rubyタグが付けられた新着投稿 - Qiita |
オリジナルアプリ開発【topページの表示】 |
https://qiita.com/kyohhh/items/22a0ca6656d9ffe96400
|
コントローラーの名称は先程設定したルーティングでtopと指定したので、topコントローラーを作成していきます。 |
2021-05-17 00:00:35 |
AWS |
AWSタグが付けられた新着投稿 - Qiita |
lsyncdとrsyncを使用したサーバ間ファイル同期 |
https://qiita.com/latin1/items/842074412c9b4c9c5279
|
lsyncdとrsyncを使用したサーバ間ファイル同期はじめにlsyncdとrsyncを用いてAWS上に構築したサーバ台でファイル同期をします。 |
2021-05-17 00:03:20 |
Git |
Gitタグが付けられた新着投稿 - Qiita |
Git Hubリポジトリとのやりとり |
https://qiita.com/ny3line/items/7e07bc3477d70bc7f943
|
GitHubリポジトリとのやりとりGitHubとのやりとりをする際に使うコマンドリモートの中身を確認する時remotegitremoteremoteの名称が表示されるgitremotev対応するURLを表示リポジトリを複数持つ時に使うコマンドremoteaddgitremoteaddltリモート名gtltリモートURLgt例↓↓↓gitremoteaddtutorialtutorialというショートカットでURLのリモートリポジトリを登録できる手順としては自分のgithubホームページに行って、新しいリポジトリを作成使い方としては、バックアップ用や別のリポジトリで開発したい時などリモートリポジトリとして運用することが多いリモートから情報を取得する方法大きく分けて二つの方法があるが、使い分けすることが大切で、ここも間違えると大変なことになることもあるので注意して使うfetchを使って取得するfetchgitfetchltリモート名gtgitfetchoriginこのコマンドで行われていることで注意しなきゃいけない点は、リモートリポジトリからローカルリポジトリに情報が落ちてきているだけでワークツリーには何も影響が起きていないという点です実際は、ローカルリポジトリの中のremotesリモート名ブランチ名に保存されているローカルリポジトリの情報をワークツリーに反映させたい時gtそのmergegitmergeltリポジトリ名gtltブランチ名gtgitmergeoriginmasterこうすることでoriginリポジトリのmasterブランチの情報をマージすることができる中身を一応確認したい時は、lsコマンドなどやcatコマンドを使って確認したりすればOKローカルリポジトリの情報をワークツリーに反映させたい時gtそのpullgitpullltリモート名gtltブランチ名gtgitpulloriginmaster上記コマンドは省略可能でgitpullでもOKでpullコマンドは下記のコマンドを一発で行っていることに注意gitfetchoriginmastergitmergeoriginmaster基本的にはフェッチを使うのがベターなぜかというと、pullコマンドの挙動が特殊だからです仮に現在ブランチがmasterブランチとhogeブランチの二つあったと仮定して話しを進めます。 |
2021-05-17 00:32:27 |
Ruby |
Railsタグが付けられた新着投稿 - Qiita |
オリジナルアプリ開発【topページの表示】 |
https://qiita.com/kyohhh/items/22a0ca6656d9ffe96400
|
コントローラーの名称は先程設定したルーティングでtopと指定したので、topコントローラーを作成していきます。 |
2021-05-17 00:00:35 |
技術ブログ |
Developers.IO |
【レポート】AWS サービスで実現する継続的インテグレーション/継続的デリバリー(CI/CD)入門 #AWS-30 #AWSSummit |
https://dev.classmethod.jp/articles/awssummit-2021-aws-30/
|
awsawssummit |
2021-05-16 15:30:53 |
海外TECH |
DEV Community |
Getting started with Next.js + Strapi: Security first |
https://dev.to/rubenmarcus/getting-started-with-next-js-strapi-security-first-3380
|
Getting started with Next js Strapi Security first Why worry about Security Before starting to see about Strapi s Content Types before looking at Next js file and route structure it s good to discuss Security A concern that usually is not followed up with due attention in certain teams and that can cause a very high cost when a project is put into production This article is another introductory article to the Next js Strapi stack we will also cover TypeScript Data Fetch Layouts CI CD and Deploy but first of all we will cover security Below we will discuss the most common security errors in web applications and how to mitigate or fix them in our Strapi Next js application XSS CRSF XSS or Cross Site Scripting is a malicious technique to inject code into our application and circumvent security to hijack data or manipulate a user s session for example CRSF or Cross site request forgery is when someone uses a malicious technique to get through a request either via Postman or browser to reach our database delete user data for example steal session data like credit card addresses etc among other things Click Jacking Do you know when you open pages that tend to trick the user into typing data and in the end they end up sending that data to people they want to use maliciously Or that they may have malware or exploits and install them on the user s machine Common vulnerabilities in Rest APIS DOS amp DDOS Denial of Service When a hacker wants to take down an API application or website he can fire bulk requests for that API or endpoint Exposure of Sensitive Information When we expose sensitive user data especially without encryption in our API Ids emails addresses payment information etc MIM Man in the Middle attacks When a hacker tries to intercept client and server communication with the intention of stealing data SQL Injection Injection of code that changes the expected behavior of the API and the Database Through an injection a hacker is able to steal information break the API change its operation Insecure Direct Object References When you expose an API with endpoints like user id and a user tries to access an ID that does not compete with it and succeeds you are exposing Direct References for insecure objects Common vulnerabilities in GraphQL APIS graphql query schema types name fields name If your GraphQL API is public only with a query like this the user who uses it can see the entire schema of your APIMalicious Queries Hackers can mount malicious queries whether to steal data corrupt your database or bring down your API serverBrute Force To avoid problems with hackers trying to break the data in your GraphQL API you can use plugins like GraphQL Rate Limit which will limit how many times the vulnerable fields of your query can be executed in a time interval How to avoid all this On Strapi Understanding the Strapi Configuration file amp its security Strapi has rich documentation that shows us how to guarantee the security of the CMS It has configurations for XSS PP Hsts X Frame Options Clickjacking CORS very useful to define which domains can access your application which headers can be exposed IP Can configure which IPS see or not your application Credential Injection Use a env file to avoid injecting credentials in the middle of your codeValidation You can create a middleware to validate that your application data already exists and will not be duplicated or you can also use a lib like Joi to validate your API fields but Strapi already has some native validations that you can define in your API models only if you use MongoDBRoles amp Permissions Ideally you should create documentation for your API on which permissions and endpoints you will enable so that you don t end up making the mistake of allowing everything and offering risk to your API dataPolicies You can set your API s policies directly in Strapi s code through config policies for global Policies and api config policies for local endpoints It is an extra layer of security for your Strapi application To set policies with GraphQL Strapi s documentation has a page dedicated to that Data Leak You can pass a private true parameter within the parameter in your API model to remove the value of being accessed by anyone Click here to learn moreJWT you can require the user to access sensitive endpoints of your application to be logged in and use JWT Exposure of Sensitive Information Strapi allows to edit the controllers which information can be accessed in the calls of the endpoints You can delete certain fields and parameters from the results In GraphQL DOS Denial of Service You need to limit your queries A malicious hacker if discovered its GraphQL API can mount a series of queries that can overload your server This is a great article on the Apollo blog that teaches some cases of malicious queries and how to avoid them Setting Policies for Queries You have to customize the Schema of your GraphQL API setting the desired policies to have control of who or how to access what in your APIUnauthorized access You need to disable the GraphQL Playground which is already disabled in the production version of Strapi you can disable it for other environments here then your GraphQL endpoint is not maintained by a route but by middleware It is necessary to create a new middleware which will check if the endpoint we want is graphql and if the authenticated user is what we want module exports strapi gt return initialize strapi app use async ctx next gt const handleErrors ctx err undefined type gt if ctx request graphql null return ctx request graphql strapi errors type err return ctx type err check if it s a graphql request if ctx request url graphql amp amp ctx request method POST if ctx request amp amp ctx request header amp amp ctx request header authorization try get token data const id await strapi plugins users permissions services jwt getToken ctx if id undefined throw new Error Invalid token Token did not contain required fields check if the id match to the user you want if id my user id return handleErrors ctx You are not authorized to access to the GraphQL API unauthorized catch err return handleErrors ctx err unauthorized else if no authenticated return an error return handleErrors ctx You need to be authenticated to request GraphQL API unauthorized await next To be authenticated you need to send a JWT in the header See here in Strapi s authentication documentation how to do it In Next js Validating fields The validation of form fields is not only used to guide your users but also to guarantee the integrity of the information transmitted from the client to the server This prevents a series of malicious codes from being entered into our Services The user can still try to manipulate the data by editing the HTML in DevTools but that is another problem CRSF Passing the parameter Content Type application JSON in our requests forces our application not to use simple requests and protects against attacksXSS This guide is very useful and shows some rules that it is good to follow when developing our front end application so as not to have a headache afterward on security and XSS issues This Next js plugin also helps to implement XSS Protection helping the browser to sanitize vulnerable areas of your application Security Headers amp ClickJacking Using X Frame Options DENY or SAMEORIGIN you prevent third parties from being able to run your Next js application within a frame The next secure headers plugin helps you with that In addition to implementing FrameGuard it also implements XSS Protection contentSecurityPolicy nosniff noopen forceHTTPSRedirect referrerPolicy expectCT JWT amp Rolling Tokens You can implement JWT for the authentication of your App to guarantee the integrity of your API and access to it this is a good tutorial that teaches thisMore NextAuth js A plugin to help you with security in the authentication of your Next js app SSL One step before we publish our site for production is to set our domain and server to the HTTPS protocol HTTPS protects our requests from being targeted by Man In the Middle attacks and is also crucial for SEO as it impacts Google s ranking Some ways to get free SSL certificates for your website are to use the service of Lets EncryptSSL For FreeAWS Certificate ManagerZeroSSLCloudFlare SSL APIS Caching Although it is not only a concern with security but also with performance APIS caching can be recommended so that your site can work even in offline environments but when it comes to dynamic data it ends up being not recommended only for data that is not constantly change This is a topic that requires an article just for him but if you feel interested in knowing more about it I recommend reading the following articles Web dev Cache API Quick GuideAmazon API Gateway API CachingUsing Cloudflare with your APIGraphQL Caching Strapi s Safety Roadmap The Strapi team is planning some features that can help in future releases on security issues This is the Product Board link In it we see that the Strapi team plans features such as FA Two factor authentication Rolling Token JWT SSO Google Twitter Facebook GitHub among others that are already being tested as Permissions and Rules per user and Permissions at field levels Checking tools There are some sites and tools on the web that test how secure our application is Below are some of them Sentry Sentry is a tool for monitoring web apps errors It supports several technologies and platforms It can be easily integrated with GraphQL Strapi or Next js It has a free version for developers Sqreen Sqreen is a webapps security monitoring platform It can bring real time data from potential exploits protect you from attacks and malicious activities Strapi supports Sqreen First create a Sqreen trial accountSecond set up your organization on the Sqreen dashboardThird set up Sqreen on StrapiIn Next js you can also use Sqreen but the configuration is a little more complicatedFirst create a Sqreen trial account Second set up your organization on the Sqreen dashboard The third configure Next js to use a Custom ServerConfigure Sqreen for Node jsLGTM LGTM is an open source tool used by major players in the market such as Google Microsoft Nasa and Dell which checks for vulnerabilities in your code through a repository on Github or BitBucket It has an automatic code review tool and is very powerful it has alerts to warn you about problems in the code and also comparisons and history SonarCloud SonarQube is a very powerful tool that not only checks for bugs and vulnerabilities in your code but also some parameters like Code maintainability Test Coverage Codesmells Code duplication it analyzes your code and can stop a P R or M R on Github GitLab Azure DevOps or BitBucket if it does not reach the expected code quality SonarCloud also has a plugin for IDES that checks in real timeMozilla Observatory Mozilla tool that will help bring Insights about the security of your website DigiCert SSL Tools It will check your SSL certificate data show possible vulnerabilities the Certificate Chain and the Server Configuration Qualys SSL Labs Tool a little more complete than that of DigiCert Pen test Tool Website Vulnerability Website that has SQL Injection checking XSS Inclusion of files Execution of remote commands however it is paid Sucuri SiteChecker Sucuri is well known in the world of web security Detects if your site is blacklisted on Google if it has unsafe links among other security parametersWell guys thanks if you got here and had patience the intention was to have given you a general idea of how to mitigate and solve various security and vulnerability problems in web applications with Next js and Strapi before we started using Stack being that the concepts mentioned here can be used and verified in any web application not only with Node js and JavaScript TypeScript but with other languages and that use Rest APIs or GraphQL Apis This is a very extensive subject that could yield several articles but I tried to summarize in this one References Strapi VulnerabilitiesVulnerabilities in Next jsCross Site Scripting Prevention Cheat SheetClickjackingSecuring your GraphQL API from Malicious QueriesGraphQL NoSQL Injection through JSON TypesGraphQL Injection |
2021-05-16 15:03:00 |
海外ニュース |
Japan Times latest articles |
Objections from experts forced Suga to take a U-turn on virus emergency |
https://www.japantimes.co.jp/news/2021/05/16/national/suga-about-face-state-emergency/
|
minister |
2021-05-17 01:53:24 |
海外ニュース |
Japan Times latest articles |
Tougher COVID-19 steps begin in six prefectures amid virus surge |
https://www.japantimes.co.jp/news/2021/05/16/national/coronavirus-emergency-quasi-japan/
|
Tougher COVID steps begin in six prefectures amid virus surgeHokkaido Okayama and Hiroshima prefectures joined the state of emergency while quasi emergency measures were expanded to Gunma Ishikawa and Kumamoto prefectures |
2021-05-17 01:55:43 |
海外ニュース |
Japan Times latest articles |
Taiwan and Singapore, COVID-19 success stories, face threats |
https://www.japantimes.co.jp/news/2021/05/16/asia-pacific/singapore-taiwan-restrictions/
|
Taiwan and Singapore COVID success stories face threatsThe regression of COVID control progress shows the difficulty of sustaining a virus free environment especially when a low level of threat made locals reluctant to |
2021-05-17 00:42:12 |
海外ニュース |
Japan Times latest articles |
Rainy season in western Japan arrives earlier than ever |
https://www.japantimes.co.jp/news/2021/05/16/national/rainy-season-record-start/
|
season |
2021-05-17 00:36:22 |
海外ニュース |
Japan Times latest articles |
Government panel warns of widening gender gap in Japan due to pandemic |
https://www.japantimes.co.jp/news/2021/05/16/national/social-issues/gender-gap-growing-pandemic/
|
Government panel warns of widening gender gap in Japan due to pandemicIn a report the panel of experts said the crisis has led to an increase in domestic violence cases and suicides among women while also |
2021-05-17 00:18:47 |
海外ニュース |
Japan Times latest articles |
Kagoshima struggles to capitalize on matcha might despite being top producer |
https://www.japantimes.co.jp/life/2021/05/16/food/kagoshima-green-tea/
|
Kagoshima struggles to capitalize on matcha might despite being top producerDespite official figures showing the area has overtaken Shizuoka Prefecture in terms of production it is still working on nationwide appeal |
2021-05-17 02:00:25 |
海外ニュース |
Japan Times latest articles |
Regulators may be doing Alibaba a favor after all |
https://www.japantimes.co.jp/opinion/2021/05/16/commentary/world-commentary/regulators-do-alibaba-a-favor/
|
Regulators may be doing Alibaba a favor after allOf great concern is that this core business once again contributed all of the operating profit because the rest of Alibaba s divisions remain a drag |
2021-05-17 00:57:08 |
海外ニュース |
Japan Times latest articles |
Russia’s bear economy |
https://www.japantimes.co.jp/opinion/2021/05/16/commentary/world-commentary/russia-economy-vladimir-putin-sanctions-gdp/
|
russia |
2021-05-17 00:53:23 |
ニュース |
BBC News - Home |
Covid: Increasing confidence jabs work against Indian variant |
https://www.bbc.co.uk/news/uk-57134181
|
hancock |
2021-05-16 15:33:05 |
ニュース |
BBC News - Home |
Israel Gaza conflict: Deaths mount in Gaza as UN meeting begins |
https://www.bbc.co.uk/news/world-middle-east-57131272
|
emergency |
2021-05-16 15:04:46 |
ニュース |
BBC News - Home |
Heysham explosion: Child dies and four adults injured in Lancashire blast |
https://www.bbc.co.uk/news/uk-england-lancashire-57132505
|
early |
2021-05-16 15:10:23 |
ニュース |
BBC News - Home |
Princess Diana: BBC postpones Panorama film on interview with Martin Bashir |
https://www.bbc.co.uk/news/uk-57135567
|
issue |
2021-05-16 15:18:48 |
ニュース |
BBC News - Home |
Eurovision 2021: How this year's acts are aiming for a Covid-safe contest |
https://www.bbc.co.uk/news/newsbeat-57079037
|
rotterdam |
2021-05-16 15:21:29 |
ニュース |
BBC News - Home |
Tottenham boost European hopes with win over Wolves |
https://www.bbc.co.uk/sport/football/57044630
|
wolves |
2021-05-16 15:46:39 |
ニュース |
BBC News - Home |
Covid-19 in the UK: How many coronavirus cases are there in your area? |
https://www.bbc.co.uk/news/uk-51768274
|
cases |
2021-05-16 15:22:39 |
北海道 |
北海道新聞 |
プロデューサー沢田隆治さん死去 「てなもんや三度笠」 |
https://www.hokkaido-np.co.jp/article/544492/
|
沢田隆治 |
2021-05-17 00:09:00 |
ニュース |
THE BRIDGE |
南米向けシード特化「BVC」、2号ファンドがファーストクローズ——新投資先にデジタルレストランやネオバンク |
http://feedproxy.google.com/~r/SdJapan/~3/V2XroaMwFwE/brazil-venture-capital-2nd-fund-first-close
|
南米向けシード特化「BVC」、号ファンドがファーストクローズー新投資先にデジタルレストランやネオバンク年のブラジルにおけるスタートアップ投資は億米ドルに達し前年比で割ほど上昇、年のユニコーンの数は前年から社増えて社となった。 |
2021-05-16 15:30:04 |
コメント
コメントを投稿