Blogposts getagged met “security”

Linux: PHP as a standalone application

Geschreven door Erwin A.W. Maas

Run only PHP in Linux (Ubuntu / Zorin and whatever more...)

Most of my websites don't use a database, therefore I do not need Apache or MySQL to edit them on localhost.
Now I know, you can do that by installing Lamp (Xampp), but easier and quicker is it to just run PHP on it's own (provided that you already have downloaded and unpacked PHP to somewhere in your filesystem).

If you do not yet have PHP installed, here's a quick how-to (1 = check if PHP exists and which version, 4 if no PHP installed, 5 = to check the version again and write the configuration to a file for easier upgrade, 6 = get the last version and 8 = remove old version):

  1. php -v
  2. sudo apt update
  3. sudo apt full-upgrade
  4. sudo apt install php
  5. dpkg -l | grep php | tee packages.txt
  6. sudo add-apt-repository ppa:ondrej/php
  7. sudo apt update
  8. sudo apt autoremove

Now you have PHP installed and you can run it either through the terminal or make a bashfile and add a starter to it on the desktop for convenience. In contrary to what most webresources say, you do not need to move your website-files to a specific default location, just point to them in the bashfile. You basically only need 2 lines to get PHP going.
Open a text-editor or IDE, start with an empty new file and write (editing the path/to-part):
#! /usr/bin/bash
php -S localhost:8080 -t /path/to/my/websites/

Save the file as somename.sh and remember the save-path

Now you only have to create a starter which points to the bash-file and let it run in the terminal (check this option)

Terminal-notifications while running PHP

In the Terminal you should be able to read that PHP has started and while working on your websites the terminal will provide all kinds of useful information about the processes that PHP follows as ordered by the pages that you open in the browser.

In your browser go to localhost:8080 and you'll see your websites. Now you can edit them local in whatever application you wish and upload them to the webserver whenever you are happy to share them 😎

Gelukt! Linux Zorin geinstalleerd!

Geschreven door Erwin A.W. Maas

Het is gelukt: ik heb nu een nieuwe laptop waarop ik Windows én Zorin naast elkaar heb draaien in een double-boot setup.
Bij het opstarten van de laptop kan ik nu dus kiezen: Windows of Linux Zorin

Ik heb de belangrijkste applicaties nu geïnstalleerd in Zorin, veel van de mij bekende werken niet in Linux, maar ze hebben een soort appstore waar ontzettend veel apps in zitten en daar zitten ook hele leuke bij en misschien zelfs nog wel beter dan degene waar ik gewend was mee te werken.

In ieder geval kan ik weer blogjes schrijven en aan mijn website werken, wat een heel grote hobby van me is en als ik weer helemaal goed geïnstalleerd en gewend ben dan ga ik een triple-boot proberen, weet alleen nog niet wat ik in de lege partitie ga zetten, er is zó veel...

Stop being tradeware of Big Tech

Geschreven door Erwin A.W. Maas

To know not is to care not

"Many of them are not informing consumers about what actually happens to their information or providing real choices. Many consumers are unaware, for example, that Facebook can track their activity online when they are logged out, or even if they are not a Facebook user."

From: this article in "The conversation"

Only a few people realise and since then started taking back control over their privacy...

And it's só easy to do:

…meer

Away with external scripts and a strong CSP

Geschreven door Erwin A.W. Maas

Results security scan

I have been busy with a strong Content Security Policy the last couple of months and experienced all kinds of issues with 3rd-party scripts like analytics-tools and a consent-manager script that I needed because of these analytics tools.

To keep everything running fine I had to add several things to the CSP that I didn't like, for example 'unsafe-inline' and 'unsafe-eval'.
Next to that one item of the cookie-consent-script just did not load and there was nothing to do about it before the scriptprovider themselves make changes to it so that I can Hash or Nonce it.

So what did I do?

…meer

The CSP is ready

Geschreven door Erwin A.W. Maas

That was really an adventure, took me 6 days to make a safe Content Security Policy where all scripts and stylesheets are being loaded

But I learned a lot and it's ready for now (in the future I will try to make more use of nonces instead of hashes)

Means that I can go on with real front-end websitedevelopment, which I love most

CSP: start again after 3 days work

Geschreven door Erwin A.W. Maas

Busy inplementing a strong CSP for the domain: much more work than I expected

Google tagmanager requires a nonce, but that needs mod_unique_id which wasn't installed, but the webhost is very helpful and activated it right away, works fine on Apache-side

Quantcast-choice which generates the cookie-policy application that let's visitors choose to accept or decline, is causing the biggest problem, it breaks the whole website. But now that mod_unique_id is installed I could try use a nonce for that too.

Two of the four scripts are going to use nonces, so why not try that with all the scripts?

So: back to an empty CSP and start all over...

Decision: the Social Media stays

Geschreven door Erwin A.W. Maas

I have been studying the login-part (you have to login anew after 24 minutes not being on the site anymore) and I have come to the conclusion that prolonging the login-session will bring critical security-issues with it: 24 minutes is the default session-time and there are good reasons for that.
This means that installing another Social Media application that dóes keep users logged in for days for example, is less secure than the application that we use now, so changing applications is not an option either.

So: we will stick to this one!

Social network Issues

Geschreven door Erwin A.W. Maas

There are some issues with the Social Network, most of them are minor issues but one is not acceptable:
-when a logged in User leaves the site, the session-cookie will expire in 24 minutes. After that a person has to log in again

Busy working on it, but if this can´t be fixed I am seriously considering installing a completely different social-media script that dóes keep the users logged in for a longer period of time.