Usually, you might have a simple rule to prevent users from accessing sensitive files such as “
.htaccess“, that rule might look like:
Deny from all
You can also use this capability to prevent other file extensions. For example, if you wanted to block common image formats extensions, you might add the following:
Deny from all
Some other file extensions to consider,
*.bak, *.old, *.inc
In these examples, I have used the OpenDNS servers, please change as appropriate.
sudo vi /etc/network/interfaces
auto l0 eth0
iface lo inet loopback
iface eth0 inet static
dns-nameservers 126.96.36.199 188.8.131.52
sudo vi /etc/resolv.conf
NOTE: I’m not 100% sure if this is required!
Add appropriate content, example:
sudo restart networking
sudo ifdown eth0 && ifup eth0
There are a few steps that I generally take to setup a new Tomcat server instance, this enables the following:
- The manager console
- HTTP compression
- UTF-8 encoding
- tomcat-users.xml – add to bottom:
<user username="tomcat" password="s3cr3t" roles="manager-gui"/>
server.xml – add compression and URIEncoding, change port if desired:
<Connector port="8080" protocol="HTTP/1.1"
redirectPort="8443" compression="on" URIEncoding="UTF-8" />
- server.xml – relocate webapps by adding ../ to appBase
<Host name="localhost" appBase="../webapps"
- Restart your server, on Ubuntu use:
sudo service tomcat7 restart
To prevent XSS/CSRF exploits in MSIE8 and newer, it’s often best to close as many attack vectors as possible. An easy one to implement is an HTTP Header to prevent MSIE from “sniffing” the content to change it when incorrect.
Example: we would not want an HTML page intentionally served with ‘text/plain’ to be rendered as HTML.
This could be added programatically to pages in your application, via a servlet or servlet filter or added to the httpd.conf file.
Apache2 example: httpd.conf
Header set X-Content-Type-Options nosniff
After updating the JDK on my development workstations, NetBeans started reporting the following at each start up.
Cannot locate java installation in specified jdkhome:
Do you want to try to use default version?
[ Yes | No ]
Thankfully, after a little searching, I found that the solution is very simple. You can change the value or comment it out with a # in:
C:\Program Files\NetBeans #.#.#\etc\netbeans.conf
In my testing, you don’t need to fully embrace HTML5 markup to take advantage of the “offline” functionality, you simply need to add the attribute and related files to your existing website/page. Any modern browser that supports HTML5 should automatically recognize the offline content and use it when appropriate, unfortunately no version of MSIE yet supports this.
In that file, you must then specify the offline behavior, something like this is a good start:
#This is to provide minimal HTML5 offline capabilities
#MIME mapping must be 'appcache=text/cache-manifest'
#Reference to this file is per page, you can have different ones in an app.
#Common image files and css may be 'cached'
On the server side, you’ll have to serve up that file with the appropriate MIME type (
text/cache-manifest, for ApacheHTTPD you simply need to add one line to httpd.conf:
AddType text/cache-manifest .appcache
Occasionally, there becomes a need to expose the use of the .htaccess file to the domains hosted on your Apache server. This technique is particularly useful when you host websites for external clients (or developers).
The steps to enable it are relatively easy,
Uncomment the ‘httpd.conf’ line that reads as:
LoadModule rewrite_module modules/mod_rewrite.so
Review (and replace as appropriate) all cases of :
AllowOverride None with
in the following files:
httpd.conf, /extra/httpd-vhosts.conf, /extra/httpd-autoindex.conf and any related files you may be using.
- Add the .htaccess file into the appropriate websites/folders
- Restart the server to accept the changes
NOTE: If you develop or host on Windows, you’ll likely have problems creating the file because there is no filename, just a file extension. You can create (or download) it from any non-Windows host and use it without additional changes. Apache does let you use a different filename, but you also need to be careful to update related security configuration that is used to prevent download of such files.