Translate security section helmet #47
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
stanleyyylau
changed the title
S1ngS1ng
suggested changes
Aug 3, 2018
| "Modern browsers can help mitigating the risk by adopting better software strategies. Often these are configurable via http headers.", | ||
| "The X-XSS-Protection HTTP header is a basic protection. The browser detects a potential injected script using a heuristic filter. If the header is enabled, the browser changes the script code, neutralizing it.", | ||
| "It still has limited support." | ||
| "跨站脚本 (XSS) 是一种常见的攻击手段,可以通过页面上的安全漏洞给页面注入恶意脚本, 从而达到获取用户密码等敏感信息。", |
There was a problem hiding this comment.
逗号和括号改成全角的
从而达到获取用户密码等敏感信息 可以说:
从而获取用户密码等敏感信息
或
从而达到获取用户密码等敏感信息的目的
| "The X-XSS-Protection HTTP header is a basic protection. The browser detects a potential injected script using a heuristic filter. If the header is enabled, the browser changes the script code, neutralizing it.", | ||
| "It still has limited support." | ||
| "跨站脚本 (XSS) 是一种常见的攻击手段,可以通过页面上的安全漏洞给页面注入恶意脚本, 从而达到获取用户密码等敏感信息。", | ||
| "防止跨站脚本的基本原则也非常简单:“永远不要相信用户的输入”。作为一个开发者,你应该对所有用户的输入进行审查。这包括来自表单,GET 请求 URL,以及 POST 请求主体内容的数据。审查就是指你应该查找并给有潜在风险的字符进行编码。 例如 ``<`` ``,`` ``>``", |
There was a problem hiding this comment.
去掉句号之后多余的空格。
后面“例如”那部分,不能用 markdown syntax,页面没法 render。
例如<code><</code>和<code>></code>
| "跨站脚本 (XSS) 是一种常见的攻击手段,可以通过页面上的安全漏洞给页面注入恶意脚本, 从而达到获取用户密码等敏感信息。", | ||
| "防止跨站脚本的基本原则也非常简单:“永远不要相信用户的输入”。作为一个开发者,你应该对所有用户的输入进行审查。这包括来自表单,GET 请求 URL,以及 POST 请求主体内容的数据。审查就是指你应该查找并给有潜在风险的字符进行编码。 例如 ``<`` ``,`` ``>``", | ||
| "现代浏览器可以通过更好的软件策略来减低这种风险。通常我们可以通过配置 HTTP 头部来达到这个目的", | ||
| "``X-XSS-Protection`` 这个 HTTP 头部是最基本的防护措施。 浏览器通过启发式过滤器检测到可能有被注入的恶意脚本,这个时候,如果你的头部有``X-XSS-Protection`` 浏览器就会通过改变这个潜在的恶意注入脚本来抵消风险。", |
There was a problem hiding this comment.
去掉句号之后的空格。
同上。这里也许要用 <code> 包起来
| "It still has limited support." | ||
| "跨站脚本 (XSS) 是一种常见的攻击手段,可以通过页面上的安全漏洞给页面注入恶意脚本, 从而达到获取用户密码等敏感信息。", | ||
| "防止跨站脚本的基本原则也非常简单:“永远不要相信用户的输入”。作为一个开发者,你应该对所有用户的输入进行审查。这包括来自表单,GET 请求 URL,以及 POST 请求主体内容的数据。审查就是指你应该查找并给有潜在风险的字符进行编码。 例如 ``<`` ``,`` ``>``", | ||
| "现代浏览器可以通过更好的软件策略来减低这种风险。通常我们可以通过配置 HTTP 头部来达到这个目的", |
There was a problem hiding this comment.
| "防止跨站脚本的基本原则也非常简单:“永远不要相信用户的输入”。作为一个开发者,你应该对所有用户的输入进行审查。这包括来自表单,GET 请求 URL,以及 POST 请求主体内容的数据。审查就是指你应该查找并给有潜在风险的字符进行编码。 例如 ``<`` ``,`` ``>``", | ||
| "现代浏览器可以通过更好的软件策略来减低这种风险。通常我们可以通过配置 HTTP 头部来达到这个目的", | ||
| "``X-XSS-Protection`` 这个 HTTP 头部是最基本的防护措施。 浏览器通过启发式过滤器检测到可能有被注入的恶意脚本,这个时候,如果你的头部有``X-XSS-Protection`` 浏览器就会通过改变这个潜在的恶意注入脚本来抵消风险。", | ||
| "这个头部目前的支持还不是特别好。" |
| @@ -90,11 +90,11 @@ | |||
| "title": "Avoid Inferring the Response MIME Type with helmet.noSniff()", | |||
| "description": [ | |||
| "温馨提醒,本项目在 <a href='https://glitch.com/#!/import/github/freeCodeCamp/boilerplate-infosec/'>这个 Glitch 项目</a> 的基础上进行开发。你也可以从 <a href='https://github.com/freeCodeCamp/boilerplate-infosec/'>GitHub</a> 上克隆。", | |||
| "Browsers can use content or MIME sniffing to adapt to different datatypes coming from a response. They override the Content-Type headers to guess and process the data. While this can be convenient in some scenarios, it can also lead to some dangerous attacks. This middleware sets the X-Content-Type-Options header to nosniff. This instructs the browser to not bypass the provided Content-Type." | |||
| "浏览器可以通过探查 ``content`` 或者 ``MIME`` 头部来判断不同的响应内容。这两个的优先级比 ``Content-Type`` 还高,浏览器可以通过这两个头部来猜测并处理响应。这个在某些情况下非常实用,但也会造成一定的潜在风险。我们可以通过中间件来设置 ``X-Content-Type-Options`` 头部为 ``nosniff``。 这样,浏览器就不会绕过 ``Content-Type`` 这个头了。" | |||
| @@ -108,11 +108,11 @@ | |||
| "title": "Prevent IE from Opening Untrusted HTML with helmet.ieNoOpen()", | |||
| "description": [ | |||
| "温馨提醒,本项目在 <a href='https://glitch.com/#!/import/github/freeCodeCamp/boilerplate-infosec/'>这个 Glitch 项目</a> 的基础上进行开发。你也可以从 <a href='https://github.com/freeCodeCamp/boilerplate-infosec/'>GitHub</a> 上克隆。", | |||
| "Some web applications will serve untrusted HTML for download. Some versions of Internet Explorer by default open those HTML files in the context of your site. This means that an untrusted HTML page could start doing bad things in the context of your pages. This middleware sets the X-Download-Options header to noopen. This will prevent IE users from executing downloads in the trusted site’s context." | |||
| "有些网站会下载不安全的 HTML 文件,某些版本的 IE 默认情况下还会在你网站的作用域下打开这些 HTML 文件。换句话说,这些不安全的 HTML 页面可以在你的网站做恶意行为。我们可以通过中间件来设置 ``X-Download-Options`` 头部为 ``noopen``。这样就可以防治 IE 在不信任的网站下执行下载的文件。" | |||
There was a problem hiding this comment.
可以在你的网站做恶意行为 => 可以对你的网站执行恶意操作
S1ngS1ng
added
the
need update
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
翻译章节
《信息安全和质量保证——Helmet》
变更文件
information-security-with-helmet.json
information-security-with-helmet.md
翻译进度
35%
0%