The client wants to make the site (webservice, as he named it), where users can create their own pages, including with JS scripts, etc. I see two ways - using the folders:
http://service.com/user/name/ ...
and subdomains:
http://user.service.com/...
Both paths are not the problem, but the client wants to make it using folders for SEO benefits.
I think if I use folders, it will make the site less secure. For example, user can send AJAX request from its page and the server will respond him. If it was a sub-domain, in accordance with the SOP (Same Origin Policy) request would be rejected. Correct if I'm wrong.
Is it real problem with SOP for folders?
Are there any other security issues for folders?
Is it safer to use subdomains?
Continuing study this issue. As I understood, in case of using folders user also can create page with Black Hat SEO and search Engines will ban my domain. Am I right?
So I can already see 2 security issue in folders and no way to fix it. Are there solutions for it? Are subdomains really more safer or they have other issues?
Related
this is a broader question than I would probably ask of the CartThrob folks, which is why I'm posting it here. What would the community recommend as far as SSL is concerned with CartThrob? The store functions are limited to a couple of key template groups. So my thinking was perhaps the best way to handle it would be htaccess on the basis of the presence of those URL segments. I would like to return the user to a non-SSL connection when they are not in the store area. So a trigger might be the first segment being "basket" or "account" for example. Or what about an in-template redirect to the secure URL? Very interested to hear the community's suggestions on how best to handle SSL within a given area of an EE site. I'm interested in whatever makes the most sense to implement, while also ensuring that, for example, all assets - even those loaded with path variables - are loaded via SSL. Thanks all!
I've always used CartThrob's https_redirect tag (docs) on my checkout screens, which will rewrite your {path}, {permalink} (etc)-created URLs to use https, as well as redirect you to the https:// version of your page if necessary.
That, combined with using the protocol-agnostic style of calling scripts and stylesheets should get you most of the way in getting your secure icon in the browser.
(Example:)
<script src="//ajax.googleapis.com/ajax/libs/jqueryui/1.9.1/jquery-ui.min.js"></script>
I am developing a website with CakePHP.
I have an AdminsController for admins to authenticate. However I want create extra security by adding .htaccess password protection.
I tried to do it by adding .htaccess and a .htpasswd files in my Admins view directory since I want the other pages of my site to work normally, but it doesn't work.
So how to add .htaccess and .htpasswd for only a specific view?
In my AdminsControllers's beforeFilter method I've added :
if(env('HTTP_HOST') == 888.888.888.888 || ......),
The list of IP addresses that should be allowed. Can I say that it is safe now?
I think you might want to investigate the other authentication components that CakePHP has to offer. BasicAuthenticate should be of particular interest.
If you go down this route, the authentication will still happen against a userModel rather than a .htpasswd file.
As for the IP restriction, that should be relatively safe. IP spoofing is possible but hard.
I want to implement https on only a selection of my web-pages. I have purchased my SSL certificates etc and got them working. Despite this, due to speed demands i cannot afford to place them on every single page.
Instead i want my server to serve up http or https depending on the page being viewed. An example where this has been done is ‘99designs’
The problem in slightly more detail:
When my visitors first visit my site they only have access to non-sensitive information and therefore i want them to be presented with simple http.
Then once they login they are granted access to more sensitive information, e.g. profile information for which HTTPS is used to deliver.
Despite being logged in, if the user goes back to a non-sensitive page such as the homepage then i want it delivered using HTTP.
One common solution seems to be using the .htaccess file. The problem is that my site is relatively large meaning that to use this would require me to write a rule for every page (several hundred) to determine whether it should be server up using http or https.
And then there is the problem of defining user generated content pages.
Please help,
Many thanks,
David
You've not mentioned anything about the architecture you are using. Assuming that the SSL termination is on the webserver, then you should set up separate virtual hosts with completely seperate and non-overlapping document trees, and for preference, use a path schema which does not overlap (to avoid little accidents).
my company is running IIS and DNN (I'm not a server guy, so color me ignorant), and I've read previous that you should either redirect your .http://www.mydomain to .http://mydomain or Vice Versa. Can anyone give me reasons to do this? (periods "prepended" to remove href)
From what I understand, it's because search engines see those as two different 'sites' (Even when visiting one or the other, I can be logged into one but not the other).
I also heard it can be a duplicate content problem, which search engines dislike.
Just looking for some professional insight, will help me and others.
Thanks!
This allows your site to be more SEO-friendly. Search engine crawlers will view these as two different URLs. That will cause your site's ranking in search engines to have multiple rankings for the same content.
ScottGu describes the problem and how to go about fixing it in a blog post:
http://weblogs.asp.net/scottgu/archive/2010/04/20/tip-trick-fix-common-seo-problems-using-the-url-rewrite-extension.aspx
Although it's mostly for SEO, there is also a potential usability issue in that a user who logs in on www.domain.com may get cookies that only work on the www subdomain and will be forced to log in again if they ever follow a link to domain.com (without the www prefix).
In addition to the SEO-friendlyness this also prevents some errors that might come up when both, with and without www works.
for example a user could login on www.yourdomain.com and would receive a cookie. later he visit your site via yourdomain.com and the cookie would not apply there.
I'm in a development environment and we're using basic .htaccess/.htpasswd authentication to keep lurkers out. But some of my AJAX calls are coming back with HTTP/401 authentication failed errors. Is it possible for me to allow access only to those specific URL's? I can't easily do it by popping a new .htaccess in a subfolder because CodeIgniter uses ReWrites.
It's not possible to allow access only to those specific URL's. Unfortunately, .htaccess and .htpasswd authentication operates on a directory level only. And you're exactly right about why just using a subdirectory won't work - b/c of CI rewrites, which happen AFTER Apache has transferred control to CodeIgniter's index.php front controller.
The easy option, if you're working on something that (1) is not likely to be hacked in the first place, and (2) can't reveal sensitive data even if it is, is to use security via obscurity. Don't have any links to your dev site, include a noindex directive for search engine crawlers, and go on your merry way. This also has the advantage that you can test versions of the site with your colleagues and friends by just telling them the URL to go to.
If you're more worried about security, then you're probably building an auth module for your website's users. In that case, for your dev environment, just call that auth module in the constructor for all of your controllers, and redirect to the login page if the user is not logged in.
Good luck!