I come from a WordPress background, and within a WordPress theme you can do basically anything you want with the server, since a theme is just a collection of PHP files which are included into the application's core scripts. I believe this is one of the reasons you can't upload your own theme to use in WordPress.com.
That comes to the question: How exactly does Shopify (and maybe other platform as well) allow its user to upload their own themes and keep them sand-boxed?
Shopify does not allow anyone to actually upload any themes. Shopify (and hosted Wordpress) just allow people to alter the contents of scripts that get executed server-side.
Shopify is smart in that they made the theme templates that users can change safe. You can stick as much dumb-ass, ass-hat crap as you want in your theme, and nothing bad will happen to Shopify itself.
Contrast that with hosting your own Wordpress shop. Any idiot can upload idiotic crap as a theme and successfully break the server. As can any twelve year old script kiddie since PHP is not terribly secure as a scripting language.
Related
everyone.
I need to lock website for downloading via some windows tools and wget.
The site consists of js, html and php files.
I googled about security resource sharing, but it did not helpful for me.
Thank you.
As long as at the same time you need to have your website online available for everybody, this is not possible. If someone visits your site, the browser needs to access all files, in other words download them. You might be able to apply a few hacks to make it more difficult, but you can not prevent it completely.
If you want to restrict it to a defined audience, you can implement a login using for example HTTP Auth. How this can be achieved depends on your hosting. It might be doable using an .htaccess file in your web root or maybe through the admin interface of your hoster.
Your PHP file should be safe by the way, the above said applies to the public parts of your site (HTML/CSS/JavaScript/Images/...).
The SEO "guru" at my job has asked me to find out if it'd be possible to implement some sort of .htaccess magic that would make all external links on our CMS pop out of the browser and open in a different tab/window.
Is this even remotely possible? I know it could be done with JS but it'd be a pretty complicated task to modify all pages/content on our site to make it happen.
Any and all help will be appreciated!
Pretty sure that isn't possible via htaccess.
However, unless it is a weirdly coded CMS, then it should not be the complicated task you think.
A CMS will usually be built so that the content and template are in separate places, which should mean that you probably only need to update a single file in order to add code to the head of every page on the site, which could be a javascript to modify external links. You should not have to touch the content.
Likewise, many CMSs will use a plug-in system allowing you to do this easily enough.
Also: A CMS will usually store content in a database, so a good database query could also replace all the links in one go.
Can't see how this could possibly help with SEO, mind!
Making a EXISTING CMS site compatible for mobile site NOT REDIRECT
Hi All.
I am currently creating a mobile version of an expression engine site that we use.
I am having problems with this, because typically I can just use media quires, or use redirect scripts.
However, the layout of the mobile site will be completely different from the desktop, so I can't just fiddle with a media quires for the CSS (as site just looks to different).
I was thinking of using a javascript to wipe the code or markup (php) if the device is mobile BUT it would mean perhaps loading two versions of code anytime a page loads up (not good for mobile). Eg one code for desktop and another for mobile.
I can't change the file names eg (mobile_index) because it is a CMS and the links wont link up correctly. I have tried this a few times , and also editing the .HTACCESS file, but it simply didnt work.
So if anyone knows how do I change the code of a page if the device mobile, but cant change file name, directory or any of that :-)
Cheers
Daragh
Why no redirect? If I was in your position, which I was a few months ago, I would handle this totally different:
Install Multiple Site Manager by ExpressionEngine: http://expressionengine.com/user_guide/cp/sites/index.html
Add another site -- mobile
Give it a proper domainname like m.domain.com
Give it its own template group
... and redirect with http://github.com/sebarmeli/JS-Redirection-Mobile-Site/
Now you can manage both installations from the same CMS and both installations can access existing channels, modules, extensions and members. This will keep your code fast and clean.
Adding a bunch of conditionals will only slow down installation.
Actually you could mess with media queries - it's the most flexible. JS is really overkill for something like this. At larger sizes, UL>LI menus could appear, and at smaller sizes they could be hidden (display:none) and swapped to select lists; divs can be replaced, elements dropped or resized. I also combine them with different snippets or embeds so you can tailor the content out as well.
You might try something like MX Mobile Device Detect. It gives you some variables that can detect if the user is on a mobile device that you could use in conditionals in your templates.
We have our application stored on our server, it is an .exe file. The download page is only accessible from our site - using cookie authentication in PHP. I know there are better methods but there is a long story behind this...so I'm moving on. The issue is that the actual url of the .exe has been leaked and is appearing on other websites. What is the best method to protect a link to a file, not the page itself. That is where I'm having issues. I can make it difficult to get to the download page (with the link) but don't know where to begin to make sure the link is only accessible from our site... Is .htaccess (preventing hotlinking) the best way to go?
Yes, .htaccess is probably best. Find any online post about protecting images from hotlinking, the first in my google search looks like a nice and easy auto-generator you can use. Just change the image extensions to exe, or keep them if you want them protected too.
As a security measure, I want to hide the technology stack I am using on my server. What are effective ways to do this? I thought about
1) Use mod_rewrite or Rewrite Module to hide any page extensions like .php or .aspx
2) Turn off all error reporting
1b) use mod_rewrite to serve a misleading extension on purpose, like disguising a php page as aspx
2b) Throw misleading errors to go with 1b), making my php pages display asp-like errors.
This is an impossible task. You will have to modify the entire stack, in which case you will have just created new buggy versions that you now have to keep in sync with vendor's versions.
There's literally no way to do this without making your site less secure.
You can do lame stuff like remove X-Powered-By, or change the session generation scheme if it's using something like ASP or PHP which has a known one. The fact is it's not going to stop anyone who actually wants to know what you are running.
For basic examples (it goes much deeper than this), some web servers will accept any header, so I can say GET LOLOLOL HTTP/1.1 and it will still work. Some stacks will keep the session alive, some wont. You can also see what features are on the stack, since there are just so many on the web and there's no way on earth any stack supports the exact same set.
Don't show accurate page extensions
Don't use standard error pages
Make sure the web server and application layer (ASP.NET, PHP et al) hide their presence in browser headers)
If your error pages do anything dynamic, assume that this can fail somehow and have a set of static html pages you can serve that aren't the web servers default ones
Make sure all of our technolog stacks are configured to not show stack traces on any error pages served to machines other than the local server. If for some reason all your custom errors fail then the user may see the technology stack, but they won't have a window into the underlying code
You can add fake Server: and/or X-Powered-By headers to the response, pretending that it was generated by a different server. (Or, Server: My Unhackable Server)