Data sent over SSL (HTTPS) is fully encrypted, headers included (hence cookies), only the Host you are sending the request to is not encrypted. It also means that the GET request is encrypted (the rest of the URL).

Although an attacker could force a client to respond over HTTP, so it is highly recommended to use the &quot;Secure&quot; flag in your cookie, which enforce the use of HTTPS to send cookies.

Also, using the flag HTTPOnly would greatly enhance the security of your site since it does not allow Cookies to be read with Javascript code (Mitigating potential XSS vulnerabilities).

SSL encrypts the entire HTTP session, including headers.

That is why they renamed it TLS for &quot;Transport Layer Security&quot;.  The &quot;Transport Layer&quot; sits below the &quot;Application Layer&quot; (among others) in the network stack.

So yes.


&gt; **Possible Duplicates:**  
&gt; [Objective-C - float checking for nan](https://stackoverflow.com/questions/3471988/objective-c-float-checking-for-nan)  
&gt; [Determine if NSNumber is NaN](https://stackoverflow.com/questions/719417/determine-if-nsnumber-is-nan)  

&lt;!-- End of automatically inserted text --&gt;

I have a problem with NaN values in CGFloat, how can I check if the number is valid?

the only way so far that works is:

    if ([[NSString stringWithFormat:@&quot;%f&quot;, output] isEqualToString:@&quot;nan&quot;]) {
	    output = 0;
    }

which is not a nice solution at all! :) ... and I am pretty sure that there is something else I should do instead.


How to check for NaN value in Objective-C (iOS)

In Husdon/Jenkins, I can setup notifications when the build is broken to email the user(s) that made the checkins that broke the build. How do I do this in Teamcity?

I am aware that individual users can setup email notifications for themselves via the Teamcity interface (for when the build is broken), but I ONLY want emails sent to the users that broke the build, also I don&#39;t want the requirement that every individual user have to update their Teamcity settings. 



Email user that broke build in Teamcity

A review of SO doesn&#39;t categorically answer this question. It could be implied, but I would like to get it on the record specifically.

If SSL is active, it will encrypt HTTP header data, like &quot;set-cookie&quot; ? I know about &quot;setSecure&quot; to only transmit cookie&#39;s if HTTPS is active, but if SSL is active I would like to confirm if all header data is encrypted by default without the need to use &quot;setSecure&quot;.

Does SSL also encrypt cookies?

<p>A review of SO doesn't categorically answer this question. It could be implied, but I would like to get it on the record specifically.</p>
<p>If SSL is active, it will encrypt HTTP header data, like "set-cookie" ? I know about "setSecure" to only transmit cookie's if HTTPS is active, but if SSL is active I would like to confirm if all header data is encrypted by default without the need to use "setSecure".</p>


I have a service that does some work on an HttpServletRequest object, specifically using the request.getParameterMap and request.getParameter to construct an object.

I was wondering if there is a straightforward way to take a provided url, in the form of a string, say 

    String url = &quot;http://www.example.com/?param1=value1&amp;param&quot;;

and easily convert it to a HttpServletRequest object so that I can test it with my unit tests? Or at least just so that request.getParameterMap and request.getParameter work correctly?

Creating a mock HttpServletRequest out of a url string?

Everything works fine, but only if file is small, about 1MB, when I tried it with bigger files, like 20MB my browser display it, instead of force to download, I tried many headers so far, now my code looks:

    PrintWriter out = response.getWriter();
    String fileName = request.getParameter(&quot;filename&quot;);
    
    File f= new File(fileName);
    
    InputStream in = new FileInputStream(f);
    BufferedInputStream bin = new BufferedInputStream(in);
    DataInputStream din = new DataInputStream(bin);
    
    while(din.available() &gt; 0){
        out.print(din.readLine());
        out.print(&quot;\n&quot;);
    }
    
    response.setContentType(&quot;application/force-download&quot;);
    response.setContentLength((int)f.length());
    response.setHeader(&quot;Content-Transfer-Encoding&quot;, &quot;binary&quot;);
    response.setHeader(&quot;Content-Disposition&quot;,&quot;attachment; filename=\&quot;&quot; + &quot;xxx\&quot;&quot;);//fileName);

    
    in.close();
    bin.close();
    din.close();


How to force browser to download file?

In my application, I had a servlet which was defined like this in the *web.xml*:

&lt;!-- language: lang-xml --&gt;

    &lt;servlet&gt;
		&lt;display-name&gt;Notification Servlet&lt;/display-name&gt;
		&lt;servlet-name&gt;NotificationServlet&lt;/servlet-name&gt;
		&lt;servlet-class&gt;com.XXX.servlet.NotificationServlet&lt;/servlet-class&gt;
		&lt;load-on-startup&gt;1&lt;/load-on-startup&gt;
	&lt;/servlet&gt;
	&lt;servlet-mapping&gt;
		&lt;servlet-name&gt;NotificationServlet&lt;/servlet-name&gt;
		&lt;url-pattern&gt;/notification/*&lt;/url-pattern&gt;
	&lt;/servlet-mapping&gt;

After moving to use Tomcat 7, I would like to use the `@WebServlet` annotation that will do the job.  
Here is the way I did it:

    @WebServlet( name=&quot;NotificationServlet&quot;, displayName=&quot;Notification Servlet&quot;, urlPatterns = {&quot;/notification&quot;}, loadOnStartup=1)
    public class NotificationServlet extends HttpServlet {


And it does not work.
Could someone please tell me what I did wrong?


@WebServlet annotation with Tomcat 7

If we define webapp specific servlet filters in WAR&#39;s own `web.xml`, then the order of execution of the filters will be the same as the order in which they are defined in the `web.xml`.

But, if we define those filters using `@WebFilter` annotation, what is the order of execution of filters, and how can we determine the order of execution?

How to define servlet filter order of execution using annotations in WAR

Using a Java-based back-end (i.e., servlets and JSP), if I need the contextPath from JavaScript, what is the recommended pattern for doing that, any why?  I can think of a few possibilities.  Am I missing any?

**1. Burn a SCRIPT tag into the page that sets it in some JavaScript variable**

    &lt;script&gt;var ctx = &quot;&lt;%=request.getContextPath()%&gt;&quot;&lt;/script&gt;

This is accurate, but requires script execution when loading the page.

**2. Set the contextPath in some hidden DOM element**

    &lt;span id=&quot;ctx&quot; style=&quot;display:none;&quot;&gt;&lt;%=request.getContextPath()%&gt;&lt;/span&gt;

This is accurate, and doesn&#39;t require any script execution when loading the page.  But you do need a DOM query when need to access the contextPath.  The result of the DOM query can be cached if you care that much about performance.

**3. Try to figure it out within JavaScript by examining `document.URL` or the BASE tag**

    function() {
        var base = document.getElementsByTagName(&#39;base&#39;)[0];
        if (base &amp;&amp; base.href &amp;&amp; (base.href.length &gt; 0)) {
            base = base.href;
        } else {
            base = document.URL;
        }
        return base.substr(0,
            base.indexOf(&quot;/&quot;, base.indexOf(&quot;/&quot;, base.indexOf(&quot;//&quot;) + 2) + 1));
    };

This doesn&#39;t require any script execution when loading the page, and you can also cache the result if necessary.  But this only works if you know your context path is a single directory -- as opposed to the root directory (`/`) or the multiple directories down (`/mypath/iscomplicated/`).

**Which way I&#39;m leaning**

I&#39;m favoring the hidden DOM element, because it doesn&#39;t require JavaScript code execution at the load of the page.  Only when I need the contextPath, will I need to execute anything (in this case, run a DOM query).

How do you get the contextPath from JavaScript, the right way?

I have been reading on HTTPS, trying to figure out how exactly it works. To me it doesn&#39;t seem to make sense, for example, I was reading this

https://ssl.trustwave.com/support/support-how-ssl-works.php

And notice it says this in the page

&gt; Step 4: xyz.com will next create a
&gt; unique hash and encrypt it using both
&gt; the customer&#39;s public key and
&gt; xyz.com&#39;s private key, and send this
&gt; back to the client.
&gt;
&gt; Step 5: Customer&#39;s browser will decrypt the hash. This process shows
&gt; that the xyz.com sent the hash and
&gt; only the customer is able to read it.

What I don&#39;t understand is, couldn&#39;t a hacker just intercept the public key it sends back to the &quot;customer&#39;s browser&quot;, and be able to decrypt anything the customer can?

Thanks for any response

How exactly HTTPS (ssl) works

I understand that the keystore would usually hold private/public keys and the trust store only public keys (and represents the list of trusted parties you intend to communicate with). Well, that&#39;s my first assumption, so if that&#39;s not correct, I probably haven&#39;t started very well...

**I was interested though in understanding how / when you distinguish the stores when using keytool.**

So, far I&#39;ve created a keystore using

    keytool -import -alias bob -file bob.crt -keystore keystore.ks

which creates my keystore.ks file. I answer `yes` to the question do I trust bob but it is unclear to me if this has created a keystore file or a truststore file? I can set up my application to use the file as either.

    -Djavax.net.ssl.keyStore=keystore.ks -Djavax.net.ssl.keyStorePassword=x
    -Djavax.net.ssl.trustStore=keystore.ks -Djavax.net.ssl.trustStorePassword=x

and with `System.setProperty( &quot;javax.net.debug&quot;, &quot;ssl&quot;)` set, I can see the certificate under trusted certifications (but not under the keystore section). The particular certificate I&#39;m importing has only a public key and I intend to use it to send stuff over an SSL connection to Bob (but perhaps that&#39;s best left for another question!).

Any pointers or clarifications would be much appreciated. Is the output of keytool the same whatever you import and its just convention that says one is a keystore and the other a trust store? What&#39;s the relationship when using SSL etc?

Trust Store vs Key Store - creating with keytool

I have a problem with authorized SSL connection. I have created Struts Action that connects to external server with Client Authorized SSL certificate. In my Action I am trying to send some data to bank server but without any luck, because I have as a result from server the following error: 

    error: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

My Method from my Action class that sends data to server

    //Getting external IP from host
        URL whatismyip = new URL(&quot;http://automation.whatismyip.com/n09230945.asp&quot;);
        BufferedReader inIP = new BufferedReader(new InputStreamReader(whatismyip.openStream()));

        String IPStr = inIP.readLine(); //IP as a String

        Merchant merchant;

        System.out.println(&quot;amount: &quot; + amount + &quot;, currency: &quot; + currency + &quot;, clientIp: &quot; + IPStr + &quot;, description: &quot; + description);

        try {

            merchant = new Merchant(context.getRealPath(&quot;/&quot;) + &quot;merchant.properties&quot;);

        } catch (ConfigurationException e) {

            Logger.getLogger(HomeAction.class.getName()).log(Level.INFO, &quot;message&quot;, e);
            System.err.println(&quot;error: &quot; + e.getMessage());
            return ERROR;
        }

        String result = merchant.sendTransData(amount, currency, IPStr, description);

        System.out.println(&quot;result: &quot; + result);

        return SUCCESS;

My merchant.properties file:

    bank.server.url=https://-servernameandport-/
    https.cipher=-cipher-

    keystore.file=-key-.jks
    keystore.type=JKS
    keystore.password=-password-
    ecomm.server.version=2.0

    encoding.source=UTF-8
    encoding.native=UTF-8

For the first time I thought this is a certificate problem, I converted it from .pfx to .jks, but I have the same error, with no changes.


Received fatal alert: handshake_failure through SSLHandshakeException

I am using [XAMPP](http://www.apachefriends.org) for development. Recently I upgraded my installation of xampp from an old version to 1.7.3. 

Now when I curl HTTPS enabled sites I get the following exception

&gt; Fatal error: Uncaught exception &#39;RequestCore_Exception&#39; with message
&gt; &#39;cURL resource: Resource
&gt;     id #55; cURL error: SSL certificate problem, verify that the CA cert is OK. Details:
&gt;     error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (60)&#39;

Everyone suggest using some specific curl options from PHP code to fix this problem. I think this shouldn&#39;t be the way. Because I didn&#39;t have any problem with my old version of XAMPP and happened only after installing the new version. 

I need help to figure out what settings change in my PHP installation, Apache etc can fix this problem.


HTTPS and SSL3_GET_SERVER_CERTIFICATE:certificate verify failed, CA is OK

I&#39;m trying to get socket.io running with my SSL certificate however, it will not connect.

I based my code off the chat example:

    var https = require(&#39;https&#39;);
    var fs = require(&#39;fs&#39;);
    /**
     * Bootstrap app.
     */
    var sys = require(&#39;sys&#39;)
    require.paths.unshift(__dirname + &#39;/../../lib/&#39;);
    
    /**
    * Module dependencies.
    */

    var express = require(&#39;express&#39;)
      , stylus = require(&#39;stylus&#39;)
      , nib = require(&#39;nib&#39;)
      , sio = require(&#39;socket.io&#39;);

    /**
     * App.
     */
    var privateKey = fs.readFileSync(&#39;../key&#39;).toString();
    var certificate = fs.readFileSync(&#39;../crt&#39;).toString();
    var ca = fs.readFileSync(&#39;../intermediate.crt&#39;).toString();

    var app = express.createServer({key:privateKey,cert:certificate,ca:ca });


    /**
     * App configuration.
     */

    ...

    /**
     * App routes.
     */

    app.get(&#39;/&#39;, function (req, res) {
      res.render(&#39;index&#39;, { layout: false });
    });

    /**
     * App listen.
     */

    app.listen(443, function () {
      var addr = app.address();
      console.log(&#39;   app listening on http://&#39; + addr.address + &#39;:&#39; + addr.port);
    });

    /**
     * Socket.IO server (single process only)
     */
    
    var io = sio.listen(app,{key:privateKey,cert:certificate,ca:ca});
    ...


If I remove the SSL code it runs fine, however with it I get a request to http://domain.com/socket.io/1/?t=1309967919512

Note it&#39;s not trying https, which causes it to fail.

I&#39;m testing on chrome, since it is the target browser for this application.

I apologize if this is a simple question, I&#39;m a node/socket.io newbie.

Thanks!

node.js, socket.io with SSL

Is there a way to force PDF files to open in the browser when the option &quot;Display PDF in browser&quot; is unchecked?

I tried using the embed tag and an iframe, but it only works when that option is checked.

What can I do?


How do I force files to open in the browser instead of downloading (PDF)?

I have a simple PHP webpage, and would like to return different content depending if it&#39;s accessed from an iPhone/iPad or from a web brower. How can I do that?

Check if PHP-page is accessed from an iOS device

Is it a way to remove or hide http referer information in request header? 
i want to remove http referrer information of users who goes to other site from my site using a script possibly in javascript python or django

example:

    Host	slogout.espncricinfo.com
    User-Agent	Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0    
    Accept	text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8    
    Accept-Language	en-us,en;q=0.5    
    Accept-Encoding	gzip, deflate    
    Accept-Charset	ISO-8859-1,utf-8;q=0.7,*;q=0.7    
    Connection	keep-alive
    Referer	http://slogout.espncricinfo.com/index.php?page=index&amp;level=login



Remove http referer

I know it&#39;s possible to get an empty HTTP_REFERER. Under what circumstances does this happen? If I get an empty one, does it always mean that the user changed it? Is getting an empty one the same as getting a null one? and under what circumstances do I get that too?

In what cases will HTTP_REFERER be empty

I know that you can manually set some headers with the `--header` option, but I want to know what headers it sends without interaction.

Content Type	Original Author	Original Content on Stackoverflow
Question	angryITguy	View Question on Stackoverflow
Solution 1 - Servlets	Dpp	View Answer on Stackoverflow
Solution 2 - Servlets	Nemo	View Answer on Stackoverflow

Does SSL also encrypt cookies?

Servlets Problem Overview

Servlets Solutions

Solution 1 - Servlets

Solution 2 - Servlets

Email user that broke build in Teamcity

How to check for NaN value in Objective-C (iOS)

Attributions