Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not.
url-invoke-disallowed
setting lacks clarity and can lead to unwanted behavior if the default changes unexpectedly.HTTP 403
status code. However, relying on an implicit setting always lacks clarity and can potentially lead to unwanted behavior if the default setting changes underneath.url-invoke-disallowed
setting.
...
<task-flow-definition id="password">
<default-activity>PasswordPrompt</default-activity>
<view id="PasswordPrompt">
<page>/PasswordPrompt.jsff</page>
</view>
<use-page-fragments/>
</task-flow-definition>
...
Resources:
EBSVOLExample:
Type: AWS::EC2::Volume
Properties:
Encrypted: false
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyMethod0": {
"Type": "AWS::ApiGateway::Method",
"Properties": {
"RestApiId": "MyAPIID",
"ResourceId": "MyResourceID",
"HttpMethod": "GET",
"AuthorizationType": "NONE"
}
},
"MyMethod1": {
"Type": "AWS::ApiGateway::Method",
"Properties": {
"RestApiId": "MyAPIID",
"ResourceId": "MyResourceID",
"HttpMethod": "POST",
"AuthorizationType": "NONE",
"ApiKeyRequired": false
}
}
}
}
AWSTemplateFormatVersion: "2010-09-09"
Description: "Example"
Resources:
TestMethod:
Type: "AWS::ApiGateway::Method"
Properties:
RestApiId: !Ref restAPIRes
ResourceId: !GetAtt
- restAPIRes
- RootResourceId
HttpMethod: GET
AuthorizationType: NONE
{
"Resources": {
"LambdaPerm": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"SourceAccount": "AWS::AccountId",
"SourceArn": "bucket.Arn",
"FunctionName": "function.Arn",
"Action": "lambda:InvokeFunction",
"Principal": "*"
}
}
},
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Lambda Permission"
}
AWSTemplateFormatVersion: "2010-09-09"
Description: Lambda Permission
Resources:
LambdaPerm:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !GetAtt function.Arn
Action: lambda:InvokeFunction
Principal: "*"
SourceAccount: !Ref "AWS::AccountId"
SourceArn: !GetAtt bucket.Arn
"Resources": {
"DocDBDefault": {
"Type": "AWS::DocDB::DBCluster",
"Properties": {
"MasterUsername": "name",
"MasterUserPassword": "password"
}
}
Resources:
DocDBDInst:
Type: AWS::DocDB::DBCluster
Properties:
MasterUsername: myUser
MasterUserPassword: password
"Resources": {
"EBSVOLExample": {
"Type": "AWS::EC2::Volume",
"Properties": {
"Encrypted": false,
}
}
}
Resources:
EBSVOLExample:
Type: AWS::EC2::Volume
Properties:
Encrypted: false
{
"Description": "ElastiCache redis",
"Resources": {
"MyReplicationGroup": {
"Type": "AWS::ElastiCache::ReplicationGroup",
"Properties": {
"AutomaticFailoverEnabled": true,
"CacheNodeType": {
"Ref": "CacheNodeType"
},
Cache "ParameterGroupName": {
"Ref": "CacheParameterGroup"
},
"CacheSubnetGroupName": {
"Ref": "CacheSubnetGroupName"
},
"Engine": "redis",
"EngineVersion": {
"Ref": "EngineVersion"
},
"NumNodeGroups": {
"Ref": "NumShards"
},
"ReplicasPerNodeGroup": {
"Ref": "NumReplicas"
},
"PreferredMaintenanceWindow": "sat:10:00-sat:08:00",
"SecurityGroupIds": [
{
"Ref": "SecurityGroup"
}
],
"SnapshotRetentionLimit": {
"Ref": "SnapshotRetentionLimit"
},
"SnapshotWindow": "00:00-03:00"
},
"UpdatePolicy": {
"UseOnlineResharding": true
}
}
}
}
Description: 'ElastiCache redis'
Resources:
MyReplicationGroup:
Type: AWS::ElastiCache::ReplicationGroup
Properties:
AutomaticFailoverEnabled: true
CacheNodeType: !Ref CacheNodeType
CacheParameterGroupName: !Ref CacheParameterGroup
CacheSubnetGroupName: !Ref CacheSubnetGroupName
Engine: redis
EngineVersion: !Ref EngineVersion
NumNodeGroups: !Ref NumShards
ReplicasPerNodeGroup: !Ref NumReplicas
PreferredMaintenanceWindow: 'sat:10:00-sat:08:00'
SecurityGroupIds:
- !Ref SecurityGroup
SnapshotRetentionLimit: !Ref SnapshotRetentionLimit
SnapshotWindow: '00:00-03:00'
UpdatePolicy:
UseOnlineResharding: true
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "My Neptune DB cluster",
"Resources": {
"NeptuneDBCluster": {
"Type": "AWS::Neptune::DBCluster",
"Properties": {
"BackupRetentionPeriod": 10,
"DBClusterIdentifier": "MyDBClusterIdentifier",
"DBClusterParameterGroupName": "MyNeptuneDBClusterParameterGroup",
"DBSubnetGroupName": "MyNeptuneDBSubnetGroup",
"IamAuthEnabled": true,
"Port": 8080,
"PreferredBackupWindow": "NeptuneDBClusterPreferredBackupWindow",
"PreferredMaintenanceWindow": "NeptuneDBClusterPreferredMaintenanceWindow"
}
}
}
}
AWSTemplateFormatVersion: 2010-09-09
Description: My Neptune DB cluster
Resources:
NeptuneDBCluster:
Type: "AWS::Neptune::DBCluster"
Properties:
BackupRetentionPeriod: 10
DBClusterIdentifier: MyDBClusterIdentifier
DBClusterParameterGroupName: MyNeptuneDBClusterParameterGroup
DBSubnetGroupName: MyNeptuneDBSubnetGroup
IamAuthEnabled: true
Port: 8080
PreferredBackupWindow: NeptuneDBClusterPreferredBackupWindow
PreferredMaintenanceWindow: NeptuneDBClusterPreferredMaintenanceWindow
"Resources": {
"RDSDBExample": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"StorageEncrypted": false,
"DBName": "Test DB",
"DBInstanceClass": "db.m4.large"
}
}
}
"Resources": {
"RedshiftClusterTest": {
"Type": "AWS::Redshift::Cluster",
"Properties": {
"DBName": "mydb",
"MasterUsername": "master",
"MasterUserPassword": "masterPass",
"NodeType": "ds2.xlarge",
"ClusterType": "single-node",
}
}
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "My SNS topic",
"Resources": {
"MySNSTopic": {
"Type": "AWS::SNS::Topic",
"Properties": {
"Subscription": [
{
"Endpoint": "MySNSEndpoint",
"Protocol": "sqs"
}
],
"TopicName": "MyTopic"
}
}
}
}
AWSTemplateFormatVersion: 2010-09-09
Description: My SNS Topic
Resources:
MySNSTopic:
Type: AWS::SNS::Topic
Properties:
Subscription:
- Endpoint: "MySNSEndpoint"
Protocol: "sqs"
TopicName: "SampleTopic"
kSecAccessControlUserPresence
: Constraint to access with either Touch ID or passcode. Touch ID does not have to be available or enrolled. Item is still accessible by Touch ID even if fingerprints are added or removed.kSecAccessControlTouchIDAny
: Constraint to access with Touch ID for any enrolled fingerprints. Item is not invalidated if fingerprints are added or removed.kSecAccessControlTouchIDCurrentSet
: Constraint to access with Touch ID for currently enrolled fingerprints. Item is invalidated if fingerprints are added or removed.kSecAccessControlTouchIDCurrentSet
attribute to protect against fingerprints being added or removed in the future.kSecAccessControlTouchIDAny
constraint that allows any future-enrolled fingerprint to unlock the Keychain item:
...
SecAccessControlRef sacRef = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
kSecAccessControlTouchIDCurrentSet,
nil);
NSMutableDictionary *dict = [NSMutableDictionary dictionary];
[dict setObject:(__bridge id)kSecClassGenericPassword forKey:(__bridge id) kSecClass];
[dict setObject:account forKey:(__bridge id)kSecAttrAccount];
[dict setObject:service forKey:(__bridge id) kSecAttrService];
[dict setObject:token forKey:(__bridge id)kSecValueData];
...
[dict setObject:sacRef forKey:(__bridge id)kSecAttrAccessControl];
[dict setObject:@"Please authenticate using the Touch ID sensor." forKey:(__bridge id)kSecUseOperationPrompt];
dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
OSStatus status = SecItemAdd((__bridge CFDictionaryRef)dict, nil);
});
...
kSecAccessControlUserPresence
: Constraint to access with either Touch ID or passcode. Touch ID does not have to be available or enrolled. Item is still accessible by Touch ID even if fingerprints are added or removed.kSecAccessControlTouchIDAny
: Constraint to access with Touch ID for any enrolled fingerprints. Item is not invalidated if fingerprints are added or removed.kSecAccessControlTouchIDCurrentSet
: Constraint to access with Touch ID for currently enrolled fingerprints. Item is invalidated if fingerprints are added or removed.kSecAccessControlTouchIDCurrentSet
attribute to protect against fingerprints being added or removed in the future.kSecAccessControlTouchIDAny
constraint that allows any future-enrolled fingerprint to unlock the Keychain item:
...
let flags = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
.TouchIDAny,
nil)
var query = [String : AnyObject]()
query[kSecClass as String] = kSecClassGenericPassword
query[kSecAttrService as String] = service as AnyObject?
query[kSecAttrAccount as String] = account as AnyObject?
query[kSecValueData as String] = secret as AnyObject?
...
query[kSecAttrAccessControl as String] = sacRef
query[kSecUseOperationPrompt as String] = "Please authenticate using the Touch ID sensor."
SecItemAdd(query as CFDictionary, nil)
...
<cfdump>
tag can leak sensitive information in a deployed web application.<cfdump>
tag. Although use of <cfdump>
is a acceptable during product development, developers responsible for code that is part of a production web application should carefully consider whether any use of the <cfdump>
tag should be allowed.