* whereToDiffer} produces no observable change in performance. We want to make sure that the array
 * equals implementation is *not* short-circuiting to prevent timing-based attacks. Being fast is
 * only a secondary goal.
 *
 * @author Kurt Alfred Kluever
 */
@NullUnmarked
public class HashCodeBenchmark {

  // Use a statically configured random instance for all of the benchmarks

- 没有 `Content-Type` 头（例如使用 `fetch()` 携带 `Blob` 作为 body）
- 且不发送任何认证凭据。

这种攻击主要在以下情况下相关：

- 应用在本地（如 `localhost`）或内网中运行
- 且应用没有任何认证，假定来自同一网络的请求都可信。

## 攻击示例 { #example-attack }

假设你构建了一个本地运行的 AI 代理。

它提供了一个 API，地址为

```
http://localhost:8000/v1/agents/multivac
```

另有一个前端，地址为

```
http://localhost:8000
```

/// tip | 提示

注意它们的主机相同。

///

* la aplicación corre localmente (p. ej. en `localhost`) o en una red interna
* y la aplicación no tiene ninguna autenticación, espera que cualquier request de la misma red sea confiable.

## Ejemplo de ataque { #example-attack }

Imagina que construyes una forma de ejecutar un agente de IA local.

Provee un API en

```
http://localhost:8000/v1/agents/multivac
```

También hay un frontend en

```
http://localhost:8000

-   Our users' guide, [Guava Explained]
-   [A nice collection](https://www.tfnico.com/presentations/google-guava) of
    other helpful links

## Links

-   [GitHub project](https://github.com/google/guava)
-   [Issue tracker: Report a defect or feature request](https://github.com/google/guava/issues/new)
-   [StackOverflow: Ask "how-to" and "why-didn't-it-work" questions](https://stackoverflow.com/questions/ask?tags=guava+java)

- 沒有 `Content-Type` 標頭（例如以 `fetch()` 並使用 `Blob` 作為 body）
- 且沒有送出任何身分驗證憑證

這種攻擊主要與以下情境相關：

- 應用在本機（例如 `localhost`）或內部網路中執行
- 並且應用沒有任何身分驗證，假設同一個網路中的任何請求都可被信任

## 攻擊範例 { #example-attack }

假設你打造了一個在本機執行 AI 代理（AI agent）的方法。

它提供一個 API：

```
http://localhost:8000/v1/agents/multivac
```

同時也有一個前端：

```
http://localhost:8000
```

/// tip | 提示

請注意兩者的主機（host）相同。

   documentation may negatively impact others.

 * **Be respectful**: We expect people to work together to resolve conflict, assume good intentions,
   and act with empathy. Do not turn disagreements into personal attacks.

 * **Be collaborative**: Collaboration reduces redundancy and improves the quality of our work. We
   strive for transparency within our open source community, and we work closely with upstream

   * saving space.
   */
  @VisibleForTesting static final double MAX_LOAD_FACTOR = 1.0;

  /**
   * Maximum allowed false positive probability of detecting a hash flooding attack given random
   * input.
   */
  @VisibleForTesting static final double HASH_FLOODING_FPP = 0.001;

  /**
   * Maximum allowed length of a hash table bucket before falling back to a j.u.HashMap based

- 그리고 어떠한 인증 자격 증명도 보내지 않음

이 유형의 공격은 주로 다음과 같은 경우에 관련이 있습니다:

- 애플리케이션이 로컬(예: `localhost`) 또는 내부 네트워크에서 실행 중이고
- 애플리케이션에 인증이 없어 같은 네트워크에서 오는 모든 요청을 신뢰한다고 가정하는 경우

## 공격 예시 { #example-attack }

로컬 AI 에이전트를 실행하는 방법을 만들었다고 가정해 봅시다.

이 에이전트는 다음 위치에 API를 제공합니다:

```
http://localhost:8000/v1/agents/multivac
```

또한 다음 위치에 프론트엔드가 있습니다:

```
http://localhost:8000
```

		header.Set("X-XSS-Protection", "1; mode=block")                                // Prevents against XSS attacks
		header.Set("X-Content-Type-Options", "nosniff")                                // Prevent mime-sniff
		header.Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains") // HSTS mitigates variants of MITM attacks

		// Previously, this value was set right before a response was sent to

                    // or dependencies on other projects manually declared testArtifacts configurations
                    // This issue is tracked in gradle issue tracker.
                    // See https://github.com/gradle/gradle/issues/14932 for further details

                    classpath.getEntries().stream().filter(e -> e instanceof ProjectDependency).forEach(it ->