As the web has been shifting to HTTPS for security and performance reasons, there are many methods to migrate users. One simple method is via the use of the Content-Security Header.
Most modern browsers, except MSIE, currently support this approach.
– Chrome 43+
I’ve been using Maven for years, but once in a while forget to ‘
clean‘ before building, resulting in old artifacts being included in the output. This can be problematic when refactoring for security items. Thankfully, it is very easy to add a ‘
clean‘ step to your
pom.xml to force clean each build.
BONUS – the plugin has some additional capabilities, specifically you can specify files outside of ‘target’ to be removed. This can be useful for any custom reporting or logging that you might create.
The Maven clean plug-in can be added to the pom.xml as such:
The use of
In most cases,
document.write() can be replaced by inserting
Google has recently changed the default behavior, such that when on a slow (currently 2G) connection, but discussions have also leaned toward including any slow connection.
As such, right now, the following will occur on slow (2G) connections:
- Chrome 53+ (warning displayed in debugger console)
- Chrome 55+ (blocked – code will not execute, warning message will appear in debugger console)
For users on slow connections, such as 2G, external scripts dynamically injected via document.write() can delay the display of main page content for tens of seconds, or cause pages to either fail to load or take so long that the user just gives up. Based on instrumentation in Chrome, we’ve learned that pages featuring third-party scripts inserted via document.write() are typically twice as slow to load than other pages on 2G.
My advice – remove all use of document.write() for required content in your code now, as your users MAY NOT see that content if you do not.
SameSite=strict” value set to reduce CSRF exposure in section A8.
Consider using the “SameSite=strict” flag on all cookies, which is increasingly supported in browsers.
Similar to the way that
Secure attributes have been added, SameSite allows for additional control.
Per the documentation, as of April 2017 the SameSite attribute is implemented in Chrome 51 and Opera 39. Firefox has an open defect, but I would expect it to be added soon to follow Chrome.
Set-Cookie: CookieName=CookieValue; SameSite=Lax;
Set-Cookie: CookieName=CookieValue; SameSite=Strict;
According to the specification you can issue the SameSite flag without a value and Strict will be assumed:
Set-Cookie: CookieName=CookieValue; SameSite
As many programming languages and server runtime environments do not yet support this for session cookies, you can use the Apache Tier1 configuration to append them.
Header edit Set-Cookie ^(JSESSIONID.*)$ $1;SameSite=Strict
Header edit Set-Cookie ^(PHPSESSID.*)$ $1;SameSite=Strict
It looks like PHP.INI might support the following attribute in a future release, but it’s not there yet!
As a bonus, it is packaged as a webjar and available in Maven Central:
You might be tempted to use the full capabilities of your browser to do things such as font-smoothing, but it’s not a good idea as it is often overused and the Browser/OS will generally do it’s best.
Both Firefox and Safari have support of this CSS attribute as follows:
NOTE: If you’re using something like Glyphicons (included with Bootstrap) you might have some use for this because of the way that fonts are used for icons.
Once in a while, the web development community reintroduces old ideas in a new way. Years ago, there was a concept called ECML (E-Commerce Markup Language) that added an HTML attribute to identify values in a FORM that could be auto-filled from a users “virtual wallet”. Sadly, while it was implemented on a variety of websites (mine included), it was not widely supported and disappeared.
The concept has been reintroduced as values in the ‘autocomplete’ attribute in HTML5. Traditionally this attribute was only used to prevent auto-filling of values, now it can identify which values it is related to for pre-fill.
The usual payment, address and demographic fields (and variations of each) are supported.
^<input type="text" name="ccnum" autocomplete="cc-number" value="" />
Sometimes, it is possible to improve the performance of Ubuntu on older hardware by modifying the disk swapping behavior.
Check your current setting:
To modify the behavior, just change the value and reboot. Most documentation recommends trying a value of 10.
sudo vi /etc/sysctl.conf
Add (or change):
# Decrease swappiness value (default:60)
To allow for repeatable, faster builds in a continuous build environment, it’s often a good idea to use a central repository to cache common assets and prevent the need to download assets from the internet for each build. Using Nexus allows for those transfers to occur over your local network for previously downloaded assets.
You can download the WAR from:
And install on your Java application server, such as Apache Tomcat, via normal means.
If you are using Maven, you’ll need to make appropriate changes in (
/.m2/settings.xml) to direct your builds to use Nexus.
Jenkins and other build automation tools will require similar changes.
With a few simple steps, Google Chrome can be installed on Ubuntu.
wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -
sudo sh -c 'echo "deb http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list'
sudo apt-get update
sudo apt-get install google-chrome-stable
sudo apt-get install google-chrome-beta