The use of
In most cases,
document.write() can be replaced by inserting
Google has recently changed the default behavior, such that when on a slow (currently 2G) connection, but discussions have also leaned toward including any slow connection.
As such, right now, the following will occur on slow (2G) connections:
- Chrome 53+ (warning displayed in debugger console)
- Chrome 55+ (blocked – code will not execute, warning message will appear in debugger console)
For users on slow connections, such as 2G, external scripts dynamically injected via document.write() can delay the display of main page content for tens of seconds, or cause pages to either fail to load or take so long that the user just gives up. Based on instrumentation in Chrome, we’ve learned that pages featuring third-party scripts inserted via document.write() are typically twice as slow to load than other pages on 2G.
My advice – remove all use of document.write() for required content in your code now, as your users MAY NOT see that content if you do not.
SameSite=strict” value set to reduce CSRF exposure in section A8.
Consider using the “SameSite=strict” flag on all cookies, which is increasingly supported in browsers.
Similar to the way that
Secure attributes have been added, SameSite allows for additional control.
Per the documentation, as of April 2017 the SameSite attribute is implemented in Chrome 51 and Opera 39. Firefox has an open defect, but I would expect it to be added soon to follow Chrome.
Set-Cookie: CookieName=CookieValue; SameSite=Lax;
Set-Cookie: CookieName=CookieValue; SameSite=Strict;
According to the specification you can issue the SameSite flag without a value and Strict will be assumed:
Set-Cookie: CookieName=CookieValue; SameSite
As many programming languages and server runtime environments do not yet support this for session cookies, you can use the Apache Tier1 configuration to append them.
Header edit Set-Cookie ^(JSESSIONID.*)$ $1;SameSite=Strict
Header edit Set-Cookie ^(PHPSESSID.*)$ $1;SameSite=Strict
It looks like PHP.INI might support the following attribute in a future release, but it’s not there yet!
As a bonus, it is packaged as a webjar and available in Maven Central:
You might be tempted to use the full capabilities of your browser to do things such as font-smoothing, but it’s not a good idea as it is often overused and the Browser/OS will generally do it’s best.
Both Firefox and Safari have support of this CSS attribute as follows:
NOTE: If you’re using something like Glyphicons (included with Bootstrap) you might have some use for this because of the way that fonts are used for icons.
Once in a while, the web development community reintroduces old ideas in a new way. Years ago, there was a concept called ECML (E-Commerce Markup Language) that added an HTML attribute to identify values in a FORM that could be auto-filled from a users “virtual wallet”. Sadly, while it was implemented on a variety of websites (mine included), it was not widely supported and disappeared.
The concept has been reintroduced as values in the ‘autocomplete’ attribute in HTML5. Traditionally this attribute was only used to prevent auto-filling of values, now it can identify which values it is related to for pre-fill.
The usual payment, address and demographic fields (and variations of each) are supported.
^<input type="text" name="ccnum" autocomplete="cc-number" value="" />
Sometimes, it is possible to improve the performance of Ubuntu on older hardware by modifying the disk swapping behavior.
Check your current setting:
To modify the behavior, just change the value and reboot. Most documentation recommends trying a value of 10.
sudo vi /etc/sysctl.conf
Add (or change):
# Decrease swappiness value (default:60)
To allow for repeatable, faster builds in a continuous build environment, it’s often a good idea to use a central repository to cache common assets and prevent the need to download assets from the internet for each build. Using Nexus allows for those transfers to occur over your local network for previously downloaded assets.
You can download the WAR from:
And install on your Java application server, such as Apache Tomcat, via normal means.
If you are using Maven, you’ll need to make appropriate changes in (
/.m2/settings.xml) to direct your builds to use Nexus.
Jenkins and other build automation tools will require similar changes.
With a few simple steps, Google Chrome can be installed on Ubuntu.
wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -
sudo sh -c 'echo "deb http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list'
sudo apt-get update
sudo apt-get install google-chrome-stable
sudo apt-get install google-chrome-beta
After a lot of use, your history file can become full of a lot of old commands… once in a while, it can be useful (and safer) to clean them up.
NOTE: this can be especially important if you have ever used a password as a command line parameter as it is stored without encryption in a text file.
cat /dev/null > ~/.bash_history && history -c && exit
Many common adminstrative services such as VPN and SSH are exposed on known port numbers, unfortunately this makes it easy for hackers to use tools to attempt to access the systems. Use of countermeasures such as Fail2Ban can block them after a few failed attempts.
sudo apt-get install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo vi /etc/fail2ban/jail.local
sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/fail2ban.log -index main -sourcetype Fail2Ban
sudo vi /opt/splunkforwarder/etc/apps/search/local/inputs.conf
disabled = false
index = main
sourcetype = Fail2Ban
sudo service fail2ban restart