Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dev #52

Merged
merged 15 commits into from
Feb 7, 2024
Merged

Dev #52

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
6a8cfc6
feat: add how many minutes the blog finna be read
ashgw Feb 6, 2024
b5db560
feat: make blog rendering check if the blog is released or nah
ashgw Feb 6, 2024
985aa86
test: add testing for `formDate()`
ashgw Feb 7, 2024
5619106
test: add testing for `formDate()`
ashgw Feb 7, 2024
4e8e3e6
refactor: move `form-date` to `date`
ashgw Feb 7, 2024
ecb4072
refactor: make `formDate` non default
ashgw Feb 7, 2024
dd7848e
test: add testing for `isSameMonthAndYear()`
ashgw Feb 7, 2024
750d7e4
feat: hide the new state badge when post is not in the recent month
ashgw Feb 7, 2024
ae6b686
refactor: remove private identifier from `types.ts`
ashgw Feb 7, 2024
9dc4b0e
feat: add `id` attribute for all header mdx components
ashgw Feb 7, 2024
f7a87ff
feat: make scroll smooth
ashgw Feb 7, 2024
29423c6
feat: fix border layout of code blocks
ashgw Feb 7, 2024
b24f9b4
feat: setup the left corner linear gradient color
ashgw Feb 7, 2024
2f9cf95
feat: setup the right corner linear gradient color
ashgw Feb 7, 2024
c1d3229
feat: set default theme to gadient
ashgw Feb 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion public/blogs/captionize.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,10 @@
title: Captionize
seoTitle: Web application that automatically generates descriptive captions for images using a Blind Language-Image Pre-training (BLIP) model.
summary: How to run an image captioning web app
isPublic: true
isReleased: true
lastModDate: 2019-04-20T09:15:00-0400
firstModDate: 2019-04-20T09:15:00-0400
minutesToRead: 18
tags:
- 'blpp'
- 'ai'
Expand Down
281 changes: 41 additions & 240 deletions public/blogs/middlewares.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,273 +2,74 @@
title: Middlewares
seoTitle: Middlewares & shit
summary: A walkthrough over security headers setup with middlewares
isPublic: true
isReleased: true
lastModDate: 2021-04-20T09:15:00-0400
firstModDate: 2023-04-20T09:15:00-0400
firstModDate: 2024-02-01T09:15:00-0400
minutesToRead: 7
tags:
- 'middlewares'
- 'security'
- 'go'
---

<Image
width="200"
alt="zeze"
height="200"
src="https://avatars.githubusercontent.com/u/126174609?v=4"
></Image>

<H>Server</H>

- **Rovxr**: When we mention "Company," "we," "our," or "us".

- **Services**: This covers any product brought to you by Rovxr.

- **You**: Refers to individuals or organizations with an account for our Service+à

First you might want to yeet the `Server` & `X-Powered-By` headers (the latter being
unofficial), preferably through the server configs, or check `no_srv.go`.

<H3>Server</H3>
<C>
First you might want to yeet the **`Server`** & **`X-Powered-By`** headers (the latter being
unofficial), preferably through the server configs, or check `no_srv.go`. I have metioned this actually <L href='#using-go'>here</L> before
<S/>
> _Security through obscurity ain’t all that chief, but it's just a good complementary security measure._

To test that you've removed this entirely you can use curl:
</C>

```bash
<Code
code=

➜ ~ curl -IsL https://https://www.google.com/ | grep -i server
{`➜ ~ curl -IsL https://https://www.google.com/ | grep -i server

server: gws

server: gws

````
`}
language="bash"
showLineNumbers={true}

> </Code>

<C>
Google doesn't hide this info, but guess who does ?

The feds
</C>
<Code
code=

```bash

{`
➜ ~ curl -IsL https://cia.gov/ | grep -i server

➜ ~
`}
language="bash"
showLineNumbers={true}

````

### Content Security Policy

> </Code>
<H3>Content Security Policy</H3>
<C>
Don't use `unsafe-inline` directive.

Use a nonce

```http

Content-Security-Policy: script-src 'nonce-r4nD0mV41u3';

```

If you're using `NextJS` Here's how you set the scripts

```Typescript

import Script from 'next/script'

export default function Page() {

const nonce = "" // get it depending on the nature of the app

return (

<Script

src="https://www.googletagmanager.com/gtag/js"

strategy="afterInteractive"

nonce={nonce}

/>

)

}

```

`NextJS v13+` has a server implementation for homogeneous apps view _[ref](https://nextjs.org/docs/app/building-your-application/configuring/content-security-policy)_

#### Directives reminder

- `base-uri` Restrict `base-uri` to block the injection of `<base>` tags. This prevents attackers from changing the locations of scripts loaded from relative URLs.

- `img-src` you might add trusted sources

```http

img-src 'self' blob: data: https://i.imgur.com https://fontawesome.com/;

```

- `font-src` you might add some trusted sources, or just download them already why bother, anyways here's an example

```http

font-src https://fonts.gstatic.com

```

Here's a good _[ref](https://infosec.mozilla.org/guidelines/web_security.html#implementation-notes)_

#### Test First

use `Content-Security-Policy-Report-Only` . If it's all good, push the **CSP** changes to prod.

### X-Content-Type-Options

View the original **Microsoft** _[ref](https://learn.microsoft.com/en-us/archive/blogs/ie/ie8-security-part-vi-beta-2-update)_ over why they had it promoted.

```Go

w.Header().Set("X-Content-Type-Options", "nosniff")

```

### X-Frame-Options

This whole header has been obsoleted in favor of `frame-ancestors` directive of the **CSP**

But some older browsers don't support **CSP** so you might as well use this

```Go

w.Header().Set("X-Frame-Options", "DENY")

```

**Note**

> `Content-Security-Policy: frame-ancestors 'none';` ==> `X-Frame-Options: 'DENY;`

> `Content-Security-Policy: frame-ancestors 'self';` ==> `X-Frame-Options: 'SAMEORIGIN;`

**Also**

> `ALLOW-FROM` Directive is <u>DEPRECATED</u> for this header.

### X-XSS-Protection

Do not use this so set it to `0`.

```go

w.Header().Set("X-XSS-Protection", "0")

```

Only for ancient browsers that don't support **CSP**.

But if you're somehow trying to support legacy browsers set it to

```http

X-XSS-Protection: 1; mode=block

```

### Strict-Transport-Security

Max age of two years is recommended.

Extreme care is needed when setting the `includeSubDomains` flag, as it could disable sites on subdomains that don’t yet have HTTPS enabled.

Secure cookies G.

If you set `preload` attribute after submission to [HSTS](ttps://hstspreload.org) preload list

then switch back to HTTP, you've fumbled the bag big time, [ref](https://hstspreload.org/#removal).

```Go

w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains, preload")

```

### Referrer-Policy

View [ref](https://www.w3.org/TR/referrer-policy/#referrer-policy-no-referrer)

```Go

w.Header().Set("Referrer-Policy", "no-referrer, strict-origin-when-cross-origin")

```

### Cross-Origin-Opener-Policy

Popups and windows

```Go

w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")

```

### Cross-Origin-Resource-Policy

document fetching

```go

w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")

```

### Cross-Origin-Embedder-Policy

need to check in with the homie above first

```go

<S/>
`NextJS v13+` has a server implementation for homogeneous apps view <L href='https://nextjs.org/docs/app/building-your-application/configuring/content-security-policy'>reference</L>
</C>
<H3 id='using-go'>Using Go</H3>
<C>Here's a simplified version of it</C>
<Code
code=

{`w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")
w.Header().Set("Cross-Origin-Embedder-Policy", "require-corp")

```

### Cache-Control

For a good balance

```go

w.Header().Set("Cache-Control", "no-cache")

```

### Feature-Policy

This has been deprecated in favor for `Permissions-policy`

```go

// w.Header().Set("Feature-Policy", "geolocation 'none'; microphone 'none'; camera 'none'")

```

### Permissions-Policy

You can pick and choose which ones to block or activate

View _[ref](https://www.w3.org/TR/permissions-policy/)_

```go

w.Header().Set("Permissions-Policy", "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), clipboard-write=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(self 'https://trusted.com'), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), speaker=(), speaker-selection=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()")
`}
language="go"
showLineNumbers={true}

```

### Other Notes

Out in the wild you might find occurrences where

[HPKP](https://tools.ietf.org/html/rfc7469) is still being used, well it got deprecated in [2018](https://www.chromestatus.com/feature/5903385005916160). It was to be replaced with the CT framework w/ [Expect-CT](https://datatracker.ietf.org/doc/rfc9163/) header, but as of today this header is **obsolete**.

View *[ref](https://chromestatus.com/feature/6244547273687040)*s
> </Code>
3 changes: 2 additions & 1 deletion public/blogs/privacy-policy-template.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,10 @@
title: Privacy Policy
seoTitle: Privacy policy BS template
summary: Privacy prolicy templates
isPublic: true
isReleased: true
firstModDate: 2020-04-20T09:15:00-0400
lastModDate: 2023-04-20T09:15:00-0400
minutesToRead: 3
tags:
- 'policies'
- 'legal'
Expand Down
Loading
Loading