Secure Headers for PHP

1 Jan, 2017
Recently I’ve been working on a drop in class to manage certain “Secure Headers” in PHP.
By “Secure Headers”, I’m of course talking about those mentioned in the OWASP Secure Headers Project.
The project, SecureHeaders is available on GitHub.
Why?
If you’re familiar with PHP, you’ll know that adding a header is actually quite easy. For example, HSTS can be configured in a single line as follows:
header(‘Strict-Transport-Security: max-age=31536000; includeSubDomains; preload’);
In-fact, you could configure any one of these headers in exactly the same way. So why use a 2.3k line PHP class instead of a one liner fix for each header?
Maintenance
I started the project as a small class to use for myself to manage CSP policies.
At the time of writing, this is my CSP string:
default-src ‘none’; script-src ‘self’ https://www.google-analytics.com/ ‘nonce-noWJFLxtYDQCaRhA3wzbpnnj0ayxstr6mVat+VcB’ https://platform.twitter.com/js/ https://cdn.syndication.twimg.com/tweets.json ‘strict-dynamic’; style-src ‘self’ https://fonts.googleapis.com/ https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ ‘nonce-AzuI9nGHk86GV7NJ5LNZdsKE7mJeUlDPggnW1/R8’ https://platform.twitter.com/css/  https://a.disquscdn.com/next/embed/styles/; img-src ‘self’ https://www.google-analytics.com/ https://platform.twitter.com/css/  https://syndication.twitter.com/i/jot/syndication https://syndication.twitter.com/i/jot https://pbs.twimg.com/ https://i.ytimg.com/vi/ data: https://referrer.disqus.com/juggler/stat.gif https://a.disquscdn.com/next/embed/assets/img/; font-src ‘self’ https://fonts.googleapis.com/ https://fonts.gstatic.com/ https://cdnjs.cloudflare.com/ajax/libs/font-awesome/; base-uri ‘self’; connect-src ‘self’ https://www.google-analytics.com/r/collect; frame-ancestors ‘none’; object-src ‘none’; block-all-mixed-content; upgrade-insecure-requests; report-uri https://aidanwoods.report-uri.io/r/default/csp/enforce; child-src https://syndication.twitter.com/ https://platform.twitter.com/ https://www.youtube.com/embed/ https://disqus.com/embed/comments/ https://disqus.com/home/preload/ https://disqus.com/home/forums/aidanwoods/ https://disqus.com/home/inbox/; frame-src https://syndication.twitter.com/ https://platform.twitter.com/ https://www.youtube.com/embed/ https://disqus.com/embed/comments/ https://disqus.com/home/preload/ https://disqus.com/home/forums/aidanwoods/ https://disqus.com/home/inbox/; form-action https://syndication.twitter.com/ https://platform.twitter.com/;
Obviously, this is not a format that lends itself nicely to debugging and maintaining. While some URIs might be obvious as to their purpose upon reading, things like https://pbs.twimg.com/, for example,


Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/VOtoOOMi2TY/secure-headers-for-php

Original article

Show HN: Kitty – A modern, hackable, featureful, OpenGL based terminal emulator

README.asciidoc

Supports tiling multiple terminal windows side by side in different
layouts without needing to use an extra program like tmux

Supports all modern terminal features: unicode, true-color, mouse
protocol, focus tracking, bracketed paste and so on.

Allows you to view the scrollback buffer in a separate window
using your favorite pager program such as less

Support startup sessions which allow you to specify the window/tab layout,
working directories and programs to run on startup.

Easily hackable (UI layer written in python, inner loops in C for
speed). Less than ten thousand lines of code.

Uses OpenGL+FreeType for rendering, does not depend on any GUI
toolkits, offloads rendering work to the GPU for lower system load.

Cross-platform support: kitty currently works only on linux, but because it
uses only OpenGL+FreeType for rendering, it should be trivial to port to
other platforms. See 5 for porting to OS X.

Installation

kitty is designed to run from source, for easy hackability. Make sure
the following dependencies


Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/ZSf3EjjSU9w/kitty

Original article

Kodak Is Bringing Back Ektachrome Film

sandbagger writes: Kodak, the film stock maker, is bringing back the Ektachrome film stock that was the popular alternative to its other product, Kodachrome. The Ektachrome is more sensitive to the cool side of the spectrum as opposed to the warmer Kodachrome. Apparently the product will be back on shelves later this year. âoeThe reintroduction of one of the most iconic films is supported by the growing popularity of analog photography and a resurgence in shooting film,â Kodak Alaris says. âoeResurgence in the popularity of analog photography has created demand for new and old film products alike. Sales of professional photographic films have been steadily rising over the last few years, with professionals and enthusiasts rediscovering the artistic control offered by manual processes and the creative satisfaction of a physical end product.â

Read more of this story at Slashdot.


Original URL: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/swilQHN1lmI/kodak-is-bringing-back-ektachrome-film

Original article

Google kills Hangouts API

Google is retiring the Hangouts API, meaning that apps relying on it will stop working. The announcement was made very quietly via email and an updated FAQ, and the change takes effect before the end of April. The official cut-off date is 25 April, and after this date apps that use the API will cease to function — most of them, at least. With immediate effect, it is no longer possible to create new apps that use the API. While Google does not say as much, the move is likely part of its push of Duo as a replacement for… [Continue Reading]


Original URL: http://feeds.betanews.com/~r/bn/~3/TTrbSeAmNDE/

Original article

LG signals plan to put Wi-Fi in every appliance it releases in 2017

In the past few years, products at CES have increasingly focused on putting the Internet in everything, no matter how “dumb” the device in question is by nature. It’s how we’ve ended up with stuff like this smart hairbrush, this smart air freshener, these smart ceiling fans, or this $100 pet food bowl that can order things from Amazon.
Now that phenomenon is reaching its logical endpoint: during the company’s CES press conference today, LG marketing VP David VanderWaal says that “starting this year” all of LG’s home appliances will feature “advanced Wi-Fi connectivity.” One of the flagship appliances that will make good on this promise is the Smart Instaview Refrigerator, a webOS-powered Internet-connected fridge that among other things supports integration with Amazon’s Alexa service.
Alexa isn’t an inherently bad fit for a refrigerator, which like the Amazon Echo itself can just sit in the corner of your kitchen awaiting your command. The main


Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/S1hdh5mKQts/

Original article

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: