What is JSON Web Token? JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA. JSON Web Tokens can be integrity protected with a hash-based message authentication code (HMAC). The producer and consumer must posses a shared secret, negotiated through some out-of-band mechanism before the JWS-protected object is communicated (unless the producer secures the JWS object for itself). 정보를 비밀리에 전달하거나 인증할 때 주로 사용하는 토큰으로, Json객체를 이용함. 그냥 DB에 인증 코드를 저장 하는 경우도 많지만 어디에도 저장하지 않는 방법도 흔히 쓰인다. 단순하게는 그냥 인증 정보를 HMAC 으로 사인하기만 하더라도 보안상 충분하고 더 많은 기능이 있는 JWT같은 방식을 사용할 수도 있다. JWT는 Json Web Token의 약자로 일반적으로 클라이언트와 서버 사이에서 통신할 때 권한을 위해 사용하는 토큰이다. 웹 상에서 정보를 Json형태로 주고 받기 위해 표준규약에 따라 생성한 암호화된 토큰으로 복잡하고 읽을 수 없는 string 형태로 저장되어있다.   HMAC (Hash-Based Message Authentication Codes) Definition Hash-based message authentication code (or HMAC) is a cryptographic authentication technique that uses a hash function and a secret key. With HMAC, you can achieve authentication and verify that data is correct and authentic with shared secrets, as opposed to approaches that use signatures and asymmetric cryptography. -메세지 인증을 위한 Keyed-Hasing의 약자 -인증할 데이터와 공유 비밀키에 대해 암호화 해시 함수(예. SHA1, SHA256)를 실행하여 얻은 메시지 인증코드 전자 서명과 유사 : 무결성/진정성 강화, 암호키 사용, 해시 함수 사용 전자 서명과 차이 : 전자 서명(비대칭키), HMAC(공개키) -인증과정 해쉬 생성 : 클라이언트는 key + message를 HMAC 알고리즘으로 처리하여 hash 값을 만들어낸다. 요청 보내기 : 생성된 hash와 message를 HTTP 요청으로 REST API서버에게 보낸다. 보통 hash는 HTTP 헤더 또는 url에 포함된다. 해쉬 생성 : 서버는 클라이언트에게서 받은 요청 내의 message와 본인이 가지고있던 key를 조합하여 HMAC으로 hash값을 생성한다. 비교 : 클라이언트에서 넘어온 hash와 서버에서 생성된 hash가 동일한지 비교한다. 동일하면 인증 성공이다.   JWT: Choosing between HMAC and RSA HMAC is used to prevent manipulation by someone who does not have access to the secret. Typically this means preventing manipulation by the client if the secret is only known to the server or to prevent manipulation in transit if the secret is known to client and server. An RSA based signature is used to prevent manipulation and also to allow others to verify the integrity and source of the data without being able to manipulate the data. This can be done because the private key is only known to the provider and signer of the data while the public key is known to everybody who likes to verify the integrity. What to choose thus depends on your specific use case. If the server just needs to protect the token against manipulation by the client then using HMAC with a server side secret is enough. If instead it needs to be also proven to others that the token was created by a specific (trusted) server then RSA based signatures should be used.   JWT.IO - JSON Web Tokens Introduction Learn about JSON Web Tokens, what are they, how they work, when and why you should use them. http://jwt.io/ JWT: Choosing between HMAC and RSA It is my understanding that HMAC is a symmetric signing algorithm (single secret key) whereas RSA is an asymmetric signing algorithm (private/public key pair). I am trying to choose between these 2 https://security.stackexchange.com/questions/220185/jwt-choosing-between-hmac-and-rsa HMAC (Hash-Based Message Authentication Codes) Definition | Okta Okta Looks like you have Javascript turned off! Please enable it to improve your browsing experience. Skip to main content Registration for Oktane is open! Registration for Oktane is open! Register now Register now Register now for Oktane +1 (800) 425-126 https://www.okta.com/identity-101/hmac/ HMAC 인증이란? - REST API의 보안 안녕하세요! HMAC 인증 이라는게 참 처음접하면 이게 어떤 원리로 동작하는건지 혼란스러운데, 찾아보니 영어로는 쉽게 잘 설명해주는 글들이 많은데 한국어로는 쉬운 설명이 정말 거의 없더라구요. 그래서 제가 하나 적어보기로 했습니다. HMAC을… http://haneepark.github.io/2018/04/22/hmac-authentication/ HMAC 알고리즘 정리 Mac이란?Message Authentication Code의 약자로 "인증된 메세지코드"라는 의미비즈니스 의사 결정과 프로세스는 정확하고 신뢰가능한 데이터에 의존적데이터 변조와 변경 사항이 눈에 띄지 않으면 의사 결정 밒 프로세스에 영향을 미칠 수 있음데이터를 인터넷 https://velog.io/@jamwonsoo/HMAC-알고리즘-정리 JWT란 무엇인가? JWT(Json Web Token) > 정보를 비밀리에 전달하거나 인증할 때 주로 사용하는 토큰으로, Json객체를 이용함 JWT는 Json Web Token의 약자로 일반적으로 클라이언트와 서버 사이에서 통신할 때 권한을 위해 사용하는 토큰이다. 웹 상에서 정보를 Json형태로 주고 받기 위해 표준규약에 따라 생성한 암호화된 토큰으로 복잡하고 읽을 수 ... https://velog.io/@hahan/JWT란-무엇인가

SPF, DKIM, and DMARC help authenticate email senders by verifying that the emails came from the domain that they claim to be from. These three authentication methods are important for preventing spam, phishing attacks, and other email security risks.   How does DMARC work? Domain-based Message Authentication Reporting and Conformance (DMARC) tells a receiving email server what to do given the results after checking SPF and DKIM. A domain's DMARC policy can be set in a variety of ways — it can instruct mail servers to quarantine emails that fail SPF or DKIM (or both), to reject such emails, or to deliver them. 도메인 기반 메시지 인증, 보고 및 적합성(DMARC)은 이메일 메시지를 인증하는 방법이다. DMARC 정책은 추가 이메일 인증 방법인 도메인의 발신자 정책 프레임워크(SPF) 및 도메인키 식별 메일(DKIM) 레코드를 확인한 후 수행할 작업을 수신 이메일 서버에 알려준다. 스팸 발송자는 도메인이나 조직을 스푸핑하여 조직에서 전송된 것처럼 위장된 위조 메일을 보낼 수 있다. DMARC는 조직에서 보낸 것처럼 보이지만 인증 확인을 통과하지 못했거나 DMARC 정책 레코드의 인증 요구사항을 충족하지 못한 메일을 받은 경우 메일 수신 서버에서 수행할 작업을 알려준다. 인증되지 않은 메일은 조직에서 보낸 것처럼 위장되었거나 승인되지 않은 서버에서 전송된 메일일 수 있다. DMARC는 항상 다음의 두 가지 이메일 인증 방법 또는 인증 확인에 사용된다. SPF(Sender Policy Framework): 도메인 소유자가 해당 도메인으로 된 이메일을 보낼 수 있는 IP 주소를 승인할 수 있다. 수신 서버에서는 특정 도메인에서 전송된 것처럼 보이는 메일이 도메인 소유자가 허용하는 서버에서 전송된 메일인지 확인할 수 있다. DKIM(Domain Keys Identified Mail): 전송된 모든 메일에 디지털 서명을 추가할 수 있다. 수신 서버에서는 이 서명을 통해 메일의 출처가 확실한지, 전송 중에 위조되거나 변경되지 않았는지 확인할 수 있다.   How does DKIM work? DomainKeys Identified Mail (DKIM) enables domain owners to automatically "sign" emails from their domain, just as the signature on a check helps confirm who wrote the check. The DKIM "signature" is a digital signature that uses cryptography to mathematically verify that the email came from the domain. 도메인키 식별 메일(DKIM)은 스팸 발송자 및 기타 악의적인 당사자가 합법적인 도메인을 가장하는 것을 방지하는 데 도움이 되는 이메일 인증 방법이다. DKIM을 설정하여 스푸핑으로부터 도메인을 보호하고 발신 메일이 스팸으로 표시되지 않도록 할 수 있다. 스푸핑은 이메일 메시지의 보낸사람 주소를 위조하는 이메일 공격 유형으로 조직이나 도메인에서 보낸 것처럼 보이도록 위장한다. 메일이 수정되거나 메일의 보낸사람: 주소가 무단으로 변경되면 DKIM은 이를 감지한다.   How does SPF work? Sender Policy Framework (SPF) is a way for a domain to list all the servers they send emails from. Think of it like a publicly available employee directory that helps someone to confirm if an employee works for an organization. SPF(Sender Policy Framework) 레코드는 특정 도메인에서 이메일을 보낼 수 있도록 승인된 모든 서버를 열거하는 DNS TXT 레코드의 한 가지 유형이다. 즉 메일을 받는 쪽의 서비스 회사에서 특정 도메인을 통해 보낸 메일이 스팸처리 되지 않게 하는 레코드다.   Define your SPF record—Basic setup - Google Workspace Admin Help Skip to main content Google Workspace Admin HelpSign inGoogle HelpHelp CenterCommunityGoogle Workspace AdminPrivacy PolicyTerms of ServiceSubmit feedback Send feedback on...This help content & informationGeneral Help Center experienceNextHelp CenterCommun https://support.google.com/a/answer/10685031?hl=en#:~:text=An%20SPF%20record%20identifies%20the,can%20have%20one%20SPF%20record SPF, DKIM & DMARC: What Is It? How to Set It Up SPF, DKIM & DMARC guide. Learn what they are and how to set them up in your DNS records, for better control over your email deliverability. https://woodpecker.co/blog/spf-dkim/ Prevent mail to Gmail users from being blocked or sent to spam - Gmail Help Skip to main content Gmail HelpSign inGoogle HelpHelp CenterCommunityGmailPrivacy PolicyTerms of ServiceSubmit feedback Send feedback on...This help content & informationGeneral Help Center experienceNextHelp CenterCommunityNew to integrated Gmail Prevent https://support.google.com/mail/answer/81126?sjid=2199876885813467615-AP DKIM을 사용하여 스푸핑 및 스팸 방지하기 - Google Workspace 관리자 고객센터 기본 콘텐츠로 이동 Google Workspace 관리자 고객센터로그인Google 도움말도움말 센터Google Workspace 관리자개인정보 취급방침서비스 약관의견 보내기 다음에 관한 의견 보내기...이 도움말 콘텐츠 및 정보일반적인 고객센터 사용 환경다음 DKIM을 사용하여 스푸핑 및 스팸 방지하기스푸핑, 피싱으로부터 보호하고 메일이 스팸으로 표시되는 것을 방지하기 DKIM을 설정하여 스푸핑으로부터 도메인을 보호하고 발신 메일이 스팸으로 표시되지 않 https://support.google.com/a/answer/174124?hl=ko https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/

이번에 신한은행 인증서를 발급받을 일이 생겨서 사이트에 접속했다. 들어가면 우리나라의 개같은 정책 때문에 다른 인터넷뱅킹과 마찬가지로 여기도 보안프로그램을 설치해야 한다는 이따위 창이 뜬다.     필수로 되어있는 해킹방지솔루션이 바로 엿같은 AhnLab Safe Transaction 이다. 설치하면 아래처럼 프로세스가 뜨는데 그냥 종료할 수 없도록 설정되어 있는 완전 악질중 악질이다. 종료하려고 하면 창이 그냥 닫혀버린다. (개빡)     아래처럼 렉도걸린다.     쓰레기같은 AhnLab Safe Transaction 을 제거해보자. 참고로 그냥 제어판 - 프로그램 추가/제거에서 지우려고 하면 뭐라뭐라 씨부리면서 안된다. 먼저 시스템 트레이에 있는 파란색 방패 모양의 아이콘에 우클릭 후 환경설정을 누른다.     설정창에서 Do not auto-start (자동 시작 안 함)를 선택한다.     시작 유형을 변경할 건지 물어보는데 시작 유형 변경에 체크하고 예를 클릭한다. 아주 개같은 프로그램이다. 메인화면에서 바로 적용하고 창을 닫으면 되는데 또 물어본다.     잠시 기다리면 AhnLab 관련 프로세스는 종료되고 부팅시에도 프로그램이 실행되지 않는다. 이제 본격적인 제거를 해보자. 다시 제어판 - 프로그램 추가/제거 로 들어간다.     Uninstall(제거)을 클릭한다.     그냥 쳐 삭제하면 되지 자동 삭제 방지 문자를 물어본다. 마지막까지 욕이 나온다.     아무 짝에도 쓸모없는 쓰레기 프로그램들. 아직까지도 우리나라 금융사들의 홈페이지는 소비자들이 이용하기 불편하게 구성돼 있다. 각종 보안프로그램을 손수 설치해야 하고, 공인인증서 확인과 비밀번호 입력 등 번거로운 인증절차를 고객이 직접 수행해야 한다. 금융사가 수행해야 할 정보보안 책임을 소비자에게 전가시키려 하기 때문이다. 대부분의 금융사들은 소비자가 직접 정보유출을 막도록 보안프로그램 설치를 종용한다. 그리고 자사 서버 보안시스템은 직접 관리하기보다 외주 용역에 의지하면서 비용을 절감하는 데 급급해한다. 한 마디로 쌩 양아치들. 주거래 은행을 한두개만 정해놓고 인터넷 뱅킹은 모바일로 이용하거나 금융인증서(브라우저인증서)로 로그인해서 쓰는게 그나마 스트레스를 덜 받는 방법이다.

1. FoxTrot Comics by Bill Amend FoxTrot Comics by Bill Amend Official home of the FoxTrot comic strip. New comics every Sunday. https://foxtrot.com/   2. Haunted Houses - Find Real Haunted Houses Haunted Houses - Find Real Haunted Houses, Explore Hauntings and Halloween Attractions Find real haunted houses, Halloween Attractions, Haunted Attractions. http://hauntedhouses.com/   3. 151 Illusions & Visual Phenomena Illusions & Visual Phenomena This huge collection of non-scary optical illusions and fascinating visual phenomena emphasizes interactive exploration, beauty, and scientific explanation. https://michaelbach.de/ot/  

SEO stands for ‘Search Engine Optimization’. It’s the practice of optimizing your web pages to make them reach a high position in the search results of Google and other search engines. In other words: People will be more likely to encounter your website when searching online.   Google’s search result page for the term ‘nightmare’   In the image above, we see the first few results when someone searches for the keyphrase ‘nightmare’. In this case, Youtube is the first result and this means that their page on Nightmare ranks #1 on this search term. The idea behind SEO is that when you optimize your page to become the best result, you can climb those rankings and become one of the first results that people see. Which will get you more clicks and traffic to your site!   https://yoast.com/tag/seo-basics/   SEO news: the latest news, resources, and guides [2023] Browse through hundreds of guides, resources, and articles related to SEO (search engine optimization). https://www.marketermilk.com/topic/seo   SEO Starter Guide: The Basics | Google Search Central  |  Documentation  |  Google Developers A knowledge of basic SEO can have a noticeable impact. Explore the Google SEO starter guide for an overview of search engine optimization essentials. https://developers.google.com/search/docs/fundamentals/seo-starter-guide  

1. IP Locator API This API provides geolocation of an IP address. By default, the lookup only returns IP Country. https://api.iplocation.net/?ip=74.125.45.100 {"ip":"74.125.45.100","ip_number":"1249717604","ip_version":4,"country_name":"United States of America","country_code2":"US","isp":"Google LLC","response_code":"200","response_message":"OK"}   2. The Ultimate Oldschool PC Font Pack The Ultimate Oldschool PC Font Pack: Home The Oldschool PC Font Resource: HomeFont indexReadmeShowcaseDownload Text mode font: [✓] 1 2 3 4 5 6 IBM VGA 8x16 Enable JavaScript for full functionality of all site features. Oldschool PC Fonts: Home Fonts Readme Showcase Download Aa The Ultimate Oldsch https://int10h.org/oldschool-pc-fonts/   3. Favicon generator / Generate from image https://favicon.io/favicon-converter/   4. Base64 Online - base64 decode and encode Base64 Online - base64 decode and encode Base64 - Online Base64 decoder and encoder  decoding and encoding texts and files. Base64 links More about Base64 encoding (wiki) Encode image to a Base64 for html/css Css Images analyzer and encoder to Base64 You can use this base64 sample decoder and en https://www.motobit.com/util/base64-decoder-encoder.asp   5. WEBP to GIF Converter WEBP to GIF | CloudConvert cloudconvert Tools Convert Files Archive Converter Audio Converter CAD Converter Document Converter Ebook Converter Font Converter Image Converter Presentation Converter Spreadsheet Converter Vector Converter Video Converter Optimize Files Compress PDF Co https://cloudconvert.com/webp-to-gif  

1. What is a Resource? In REST, the primary data representation is called resource. Having a consistent and robust REST resource naming strategy – will prove one of the best design decisions in the long term. The key abstraction of information in REST is a resource. Any information that can be named can be a resource: a document or image, a temporal service (e.g. “today’s weather in Los Angeles”), a collection of other resources, a non-virtual object (e.g., a person), and so on. In other words, any concept that might be the target of an author’s hypertext reference must fit within the definition of a resource. A resource is a conceptual mapping to a set of entities, not the entity that corresponds to the mapping at any particular point in time. — Roy Fielding’s dissertation 1.1. Singleton and Collection Resources A resource can be a singleton or a collection. For example, “customers” is a collection resource and “customer” is a singleton resource (in a banking domain). We can identify “customers” collection resource using the URI “/customers“. We can identify a single “customer” resource using the URI “/customers/{customerId}“. 1.2. Collection and Sub-collection Resources A resource may contain sub-collection resources also. For example, sub-collection resource “accounts” of a particular “customer” can be identified using the URN “/customers/{customerId}/accounts” (in a banking domain). Similarly, a singleton resource “account” inside the sub-collection resource “accounts” can be identified as follows: “/customers/{customerId}/accounts/{accountId}“. 1.3. URI REST APIs use Uniform Resource Identifiers (URIs) to address resources. REST API designers should create URIs that convey a REST API’s resource model to the potential clients of the API. When resources are named well, an API is intuitive and easy to use. If done poorly, that same API can be challenging to use and understand. The constraint of a uniform interface is partially addressed by the combination of URIs and HTTP verbs and using them in line with the standards and conventions. Below are a few tips to get you going when creating the resource URIs for your new API. 2. Best Practices 2.1. Use nouns to represent resources RESTful URI should refer to a resource that is a thing (noun) instead of referring to an action (verb) because nouns have properties that verbs do not have – similarly, resources have attributes. Some examples of a resource are: Users of the system User Accounts Network Devices etc. and their resource URIs can be designed as below: http://api.example.com/device-management/managed-devices http://api.example.com/device-management/managed-devices/{device-id} http://api.example.com/user-management/users http://api.example.com/user-management/users/{id} For more clarity, let’s divide the resource archetypes into four categories (document, collection, store, and controller). Then it would be best if you always targeted to put a resource into one archetype and then use its naming convention consistently. For uniformity’s sake, resist the temptation to design resources that are hybrids of more than one archetype. 2.1.1. document A document resource is a singular concept that is akin to an object instance or database record. In REST, you can view it as a single resource inside resource collection. A document’s state representation typically includes both fields with values and links to other related resources. Use “singular” name to denote document resource archetype. http://api.example.com/device-management/managed-devices/{device-id} http://api.example.com/user-management/users/{id} http://api.example.com/user-management/users/admin 2.1.2. collection A collection resource is a server-managed directory of resources. Clients may propose new resources to be added to a collection. However, it is up to the collection resource to choose to create a new resource or not. A collection resource chooses what it wants to contain and also decides the URIs of each contained resource. Use the “plural” name to denote the collection resource archetype. http://api.example.com/device-management/managed-devices http://api.example.com/user-management/users http://api.example.com/user-management/users/{id}/accounts 2.1.3. store A store is a client-managed resource repository. A store resource lets an API client put resources in, get them back out, and decide when to delete them. A store never generates new URIs. Instead, each stored resource has a URI. The URI was chosen by a client when the resource initially put it into the store. Use “plural” name to denote store resource archetype. http://api.example.com/song-management/users/{id}/playlists 2.1.4. controller A controller resource models a procedural concept. Controller resources are like executable functions, with parameters and return values, inputs, and outputs. Use “verb” to denote controller archetype. http://api.example.com/cart-management/users/{id}/cart/checkout http://api.example.com/song-management/users/{id}/playlist/play 2.2. Consistency is the key Use consistent resource naming conventions and URI formatting for minimum ambiguity and maximum readability and maintainability. You may implement the below design hints to achieve consistency: 2.2.1. Use forward slash (/) to indicate hierarchical relationships The forward-slash (/) character is used in the path portion of the URI to indicate a hierarchical relationship between resources. e.g. http://api.example.com/device-management http://api.example.com/device-management/managed-devices http://api.example.com/device-management/managed-devices/{id} http://api.example.com/device-management/managed-devices/{id}/scripts http://api.example.com/device-management/managed-devices/{id}/scripts/{id} 2.2.2. Do not use trailing forward slash (/) in URIs As the last character within a URI’s path, a forward slash (/) adds no semantic value and may confuse. It’s better to drop it from the URI. http://api.example.com/device-management/managed-devices/ http://api.example.com/device-management/managed-devices /*This is much better version*/ 2.2.3. Use hyphens (-) to improve the readability of URIs To make your URIs easy for people to scan and interpret, use the hyphen (-) character to improve the readability of names in long-path segments. http://api.example.com/devicemanagement/manageddevices/ http://api.example.com/device-management/managed-devices /*This is much better version*/ 2.2.4. Do not use underscores ( _ ) It’s possible to use an underscore in place of a hyphen to be used as a separator – But depending on the application’s font, it is possible that the underscore (_) character can either get partially obscured or completely hidden in some browsers or screens. To avoid this confusion, use hyphens (-) instead of underscores ( _ ). http://api.example.com/inventory-management/managed-entities/{id}/install-script-location //More readable http://api.example.com/inventory-management/managedEntities/{id}/installScriptLocation //Less readable 2.2.5. Use lowercase letters in URIs When convenient, lowercase letters should be consistently preferred in URI paths. http://api.example.org/my-folder/my-doc //1 HTTP://API.EXAMPLE.ORG/my-folder/my-doc //2 http://api.example.org/My-Folder/my-doc //3 In the above examples, 1 and 2 are the same, but 3 is not as it uses My-Folder in capital letters. 2.3. Do not use file extensions File extensions look bad and do not add any advantage. Removing them decreases the length of URIs as well. No reason to keep them. Apart from the above reason, if you want to highlight the media type of API using file extension, then you should rely on the media type, as communicated through the Content-Type header, to determine how to process the body’s content. http://api.example.com/device-management/managed-devices.xml /*Do not use it*/ http://api.example.com/device-management/managed-devices /*This is correct URI*/ 2.4. Never use CRUD function names in URIs We should not use URIs to indicate a CRUD function. URIs should only be used to uniquely identify the resources and not any action upon them. We should use HTTP request methods to indicate which CRUD function is performed. HTTP GET http://api.example.com/device-management/managed-devices //Get all devices HTTP POST http://api.example.com/device-management/managed-devices //Create new Device HTTP GET http://api.example.com/device-management/managed-devices/{id} //Get device for given Id HTTP PUT http://api.example.com/device-management/managed-devices/{id} //Update device for given Id HTTP DELETE http://api.example.com/device-management/managed-devices/{id} //Delete device for given Id 2.5. Use query component to filter URI collection Often, you will encounter requirements where you will need a collection of resources sorted, filtered, or limited based on some specific resource attribute. For this requirement, do not create new APIs – instead, enable sorting, filtering, and pagination capabilities in resource collection API and pass the input parameters as query parameters. e.g. http://api.example.com/device-management/managed-devices http://api.example.com/device-management/managed-devices?region=USA http://api.example.com/device-management/managed-devices?region=USA&brand=XYZ http://api.example.com/device-management/managed-devices?region=USA&brand=XYZ&sort=installation-date ref. https://restfulapi.net/resource-naming/ REST API - URL Naming Conventions In REST, having a strong and consistent REST resource naming strategy – will prove one of the best design decisions in the long term. https://restfulapi.net/resource-naming/