http – Which security headers should be sent with static files such as css/js/images

Of the security headers listed here: https://owasp.org/www-project-secure-headers/ which ones should be sent with static files (css, js, images etc) and what does setting them each achieve in that context. Assuming a situation where they are already set strictly in the html response.

Added my current assumptions followed by my thoughts on what header to set:

  • HTTP Strict Transport Security (HSTS)
    • I assume it makes sense to set this to avoid static files being sent over http
    • Strict-Transport-Security: max-age=31536000
  • Content-Security-Policy
    • I assume most of the src destinations would be enforced by the csp on from the html anyway, frame ancestors would stop someone loading your files on in an iframe but not just directly loading it anyway so is pointless?
  • X-Frame-Options
    • Same assumption as csp would stop other domain loading file in iframe but not directly so no point?
  • X-Content-Type-Options
    • this makes sense to set although still not sure if it’s needed when set on the original html response anyway
    • X-Content-Type-Options: nosniff
  • Referrer-Policy
    • assume there’s no benefit of having the referrer header sent anyway
    • Referrer-Policy: no-referrer
  • X-XSS-Protection
    • owasp in the link above recommends setting this to 0 now everywhere which I didn’t know until I wrote this question… Can xss be achieved inside a static file anyway
    • Do I need to change everything from X-XSS-Protection: 1; mode=block to X-XSS-Protection: 0 including on static files

I saw the following question but is quite old, just one answer and no reference to CSP

hooks – Using Batch API to build huge CSV files for custom exports in drupal 8

I want to build huge CSV files for custom exports by getting records from database. my records contains 10 column and near about 1 lakhs row. So for huge csv I want to use set_batch() something like this.

$account = "saving";
$database = Drupal::database();
$query = $database->query("SELECT DISTINCT name, address, phone, mobile, salary, account, branch, pin FROM `table` )->fetchAll();

$handle = fopen('php://temp', 'w+');
$header = (
  $summaryofmanager,
  'Name',
  'Address',
  'Phone',
  'Mobile',
  'Account',
  'Branch',
  'Pin',
);
CSV . fputcsv($handle, $header);
foreach ($query as $data_result) {
  if ($account != "saving") {
    $data = (
      'name' => $data_result->name,
      'Address' => $data_result->Address,
      'address' => $data_result->address,
      'phone' => $data_result->phone,
      'phone' => $data_result->phone,
      'salary' => $data_result->salary,
      'branch' => $data_result->branch,
      'pin ' => $data_result->pin ,
    )
  }
  else{
    $data = (
      'name' => $data_result->name,
      'address' => $data_result->address,
      'phone' => $data_result->geo_aprv_rentry,
      'phone' => $data_result->phone,
      'mobile' => $data_result->mobile,
      'salary' => $data_result->salary,
      'account' => $data_result->account,
      'branch' => $data_result->branch,
    );
  }
 
  CSV > fputcsv($handle, array_values($data));
}
CSV . rewind($handle);
$csv_data = stream_get_contents($handle);
fclose($handle);
$response = new Response();
$response->headers->set('Content-Type', 'text/csv');
$response->headers->set('Content-Disposition', 'attachment; filename="' . $csvfilename . '"');
$response->setContent($csv_data);
return $response;

docker – Why my nginx server is sending css files as text/plain?

I’m currently working with nginx to serve my compiled react project (static files) and being a reverse proxy as well. but when I upload the files I get the website without my custom fonts. I believe that it is because the request in order to gain the css files is returning the css file as text/plain and not as css file. I don’t know why and I’d like your help. adding the Dockerfile, nginx.conf and mime.types
Dockerfile

FROM nginx:1.14.2-alpine

RUN  mkdir -p /run/nginx && 
     apk add nginx-mod-http-lua
     
WORKDIR /usr/src/app

COPY build /usr/src/app/build
COPY mime.types /usr/src/app

COPY nginx.conf /usr/src/app

EXPOSE 8080

CMD ( "nginx", "-c", "/usr/src/app/nginx.conf", "-g", "daemon off;" )

nginx.conf

load_module /usr/lib/nginx/modules/ndk_http_module.so;
load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;

env DB_API;

pcre_jit on;

events {

}

http {

    lua_load_resty_core off;

    include /usr/src/app/mime.types;
    default_type  application/octet-stream;

    sendfile on;

    server {
        listen 8080;

        set_by_lua $db_api 'return os.getenv("DB_API")';

        location /db/ {
            rewrite ^/db(.*)$ $1 break;
            proxy_pass $db_api/clientToDBApi$uri$is_args$args;
        }

        location /static/css/ {
            add_header Content-Type text/css;
            expires 168h;
        }

        location / {
            root /usr/src/app/build;
            index index.html;
            try_files $uri $uri/ /index.html;
        }
    }
}

mime.types

types {
  text/html                             html htm shtml;
  text/css                              css;
  image/jpeg                            jpeg jpg;
  application/x-javascript              js;
  text/plain                            txt;
  image/png                             png;
  image/x-icon                          ico;
  application/pdf                       pdf;
  application/x-rar-compressed          rar;
  application/zip                       zip;
  application/octet-stream              bin exe dll;
  application/octet-stream              iso img;
  application/octet-stream              msi msp msm;
  audio/mpeg                            mp3;
  video/mpeg                            mpeg mpg;
  video/quicktime                       mov;
  video/x-flv                           flv;
  video/x-msvideo                       avi;
  video/x-ms-wmv                        wmv;
  video/x-ms-asf                        asx asf;
  video/x-mng                           mng;
}

javascript – Remove JS files from beeing loaded through require-js

I am optimizing the page speed of my Magento 2 frontend.
Everything is logically so far… CSS files can be removed through XML, everything should be minified, lazy loaded and so on.

BUT:
The size of all javascript files that are loaded is 12 MB (!!!).
That is insane, sorry.
There is so much unused crap loaded, like:

unused JS files

datepicker.js, timepicker.js, spectrum.js, tinycolor.js and so on… are just a few examples.

I know, the Magento 2 ui component / model structure is complicated, but how can i prevent all this JS files from beeing loaded?
They are not used and i have no idea, how to prevent this unneccesary bytes from destroying my complete page speed.

I just want to remove this JS-files or complete modules like removing CSS-files. Can anyone help me with an example?

Thank you.

8 – Using Feeds, how to import D7 files and images into a D8 media field

Looking for a method for importing D7 files and images with multiple values into a D8 media field. Any recommendations out there?

The official Feeds issue doesn’t have much activity and seems to have strayed off-topic.

Feeds Migrate module is not stable and not recommended for use in production.

I have also tried a module called Media Fields but ran into problem with multiple value fields.

Upgrading to Drupal 8 using core’s Migrate Drupal module is not suitable because I only want to import data belonging to a single content type.

I don’t do much code so would prefer to avoid the Migrate route.

Can anyone provide a site builder method for getting this done?

Why does Google Drive have a “change ownership” option for files that don’t support it?

You can only transfer ownership of Google files and folders

https://support.google.com/drive/answer/2494892

Due to this quote, as shown in to How can I transfer ownership of a file in Google Drive that isn’t part of Docs? in the past there was no option to attempt transfering ownership of non Google files (PDF, etc.).

However, these days there is. But if you try to use it, it just fails with a “You can’t change the owner of this item” message:

Failed attempt to transfer ownership

What is the logic behind this? Is there any way to bypass this error and transfer such an ownership?

mac – How do I backup OS 9 system files?

I have a PowerBook G4 Titanium that I need to wipe to clear the previous user’s personal data. It has a password that I don’t know but I can still login automatically to OS X upon boot. Not having the administrative password is preventing me from wiping the computer through the options provided by the OS.

I have learned that these older macs come with specific roms and extensions for the older OSs and I would like to back these up. But I understand that this isn’t entirely straightforward due to aliasing and resource forks. The OS 9 part of the laptop was never used so it is pristine and a good candidate for being backed up.

How do I do go about backing up all of the necessary files in a way that I can restore them?

I selected the following files on the root partition and dropped then all at once into DropStuff:

  • Applications (Mac OS 9)/
  • Desktop (Mac OS 9)/ -> Desktop Folder/
  • Desktop Folder/
  • Desktop DB
  • Desktop DF
  • System Folder/
  • Trash/

Is this sufficient to preserve aliases and resources or do I need to do this differently?

I know very little about vintage Mac software and filesystems but I am very experienced with both Windows and Linux. Please feel free to be as technical as you like.

Disable (dot)php files from being executed (NGINX+PHP)

Question
I am wondering if my configuration was executing the hacked dot files before removal.

Setup
Ubuntu 18.04 LTS + NGINX + PHP 7.4

Issue
My WordPress site got hacked. The malware created a copy of each file and named it .{filename} (mention the dot in front).

This is what the hacked directory looks like:
index.php (normal)
.index.php (hacked, being executed I guess)

This is what my vhost looks like:

# Deny access to hidden files
  location ~ /. {
      deny all;
  }
  location ~* /(?:uploads|files)/.*.php$ {
    deny all;
  }
  location ~ ^/wp-includes/(^/)+.php$ {
      deny all;
  }

(*) I did not made any adjustments to the standard php.ini, except raising the max_execution_time and some other limits.

Do you think this was enough to prevent PHP of executing these hacked files?

WordPress fix
This command automatically removes all dot php files from the /var/www directory:
find /var/www/-type f -name .*.php # -delete # UNCOMMENT to actually delete

After that, I have deleted and manually downloaded new copies in /wp-content/plugins, /wp-content/themes, /wp-includes, /wp-admin and restored a back-up of /wp-content/uploads and /wp-content/languages. So yes, I think my WordPress site is clean now.

Sharepoint Online get all files with no checked in version via powershell script with lists larger than 5000

I’m wondering if anyone has a solution to this. I’m trying to write a powershell script, that would get all files that do not have checked in version for lists with files of about 150k and above. I’ve tried multiple options but with any of the options, I either can’t get the list of files without a checked in version or the document library size is causing me issues. I’ve used multiple CAMLQueries and I can’t seem to get the results I’m looking for.

For this CAML Query, it doesn’t give me the files without a checked in version only all the other files

$Query = New-Object Microsoft.SharePoint.Client.CamlQuery
$Query.ViewXml = @" <View Scope='RecursiveAll'> <Query> <OrderBy><FieldRef Name='ID' Ascending='TRUE'/></OrderBy> </Query> <RowLimit Paged="TRUE">$BatchSize</RowLimit> </View> "@

For the CAMLQuery, I don’t get any results. It doesn’t seem work in getting any results even though I know there are files without a checked in version.
$CAMLQuery = " <View Scope='RecursiveAll'> <Query> <Where> <IsNotNull><FieldRef Name='CheckoutUser'/></IsNotNull> </Where> </Query> <RowLimit Paged='TRUE'>500</RowLimit> </View>"

Also, I’ve even tried using the below command; however, I can’t seem to get past the 5000 threshold limit. I get the error, The attempted operation is prohibited because it exceeds the list view threshold enforced by the administrator.
$List = $Ctx.Web.lists.GetByTitle($ListName)
$CheckedOutFiles1 = $List.GetCheckedOutFiles()
$Ctx.Load($List)
$Ctx.Load($CheckedOutFiles1)
$Ctx.ExecuteQuery()

I’ve even tried PnP, Get-PnPListItem, but this doesn’t seem to capture any of the files that have no checked in version.

None of the above options work to giving me the results I’m looked for. Does anyone have a script that would give me the a list of files that don’t have a checked in version or can help me solve this problem. I can post my script if it would help in getting a resolution, I’m just stuck right now.

Thanks.