DevOps Curriculum

Der Begriff systemd wird immer umfassender da es sich nicht mehr (wie ursprünglich) nur um ein init Systemd handelt, sondern...

Unter Linux gibt es mehrere Dateisysteme. Es ist gut einen Überblick zu haben welche existieren und wie man die Dateisysteme...

DevOps Curriculum

In diesem Kapitel wollen wir uns die Struktur des Linux Dateisystems ansehen. Damit ist in diesem Fall nicht das Dateisystem...

When you need information about a gem (like version(s) or install path(s)), you can use the gem binary...

Due to the way we setup Jasmine tests in our projects, you may run into various errors when Jasmine boots...

Sometimes you will need an input field which wraps content and grows in height as soon as content gets longer...

makandra dev

To ensure a consistent code style for JavaScript code, we use ESLint. The workflow is similar to integrating rubocop...

This are the steps I needed to do to add esbuild to an application that used the vanilla rails asset...

DevOps Curriculum

AWS ist der meist genutzte Cloud Provider. Bei AWS gibt es extrem viele Themengebiete und es ist nicht möglich sich...

DevOps Curriculum

Vor 20 Jahren begann der große Durchbruch der Virtualisierung. Heute sind virtuelle Server kaum noch wegzudenken, da diese eine deutlich...

DevOps Curriculum

Wir arbeiten bei makandra alle auf Linux-Betriebssystemen und bedienen im DevOps- & Cloud-Bereich primär Kunden, die ebenfalls auf Linux...

DevOps Curriculum

makandra bietet ein bezahltes Trainee-Programm für DevOps / Cloud-Engineers: http://start.makandra.de Wir arbeiten für unsere Kunden häufig als Infrastruktur...

Building application assets with esbuild is the new way to do it, and it's great, especially in combination with...

JavaScript code can access and manipulate the browser's DOM tree. Using JavaScript we can add interactive behavior to our...

Jasmine has spyOnProperty(), but it only works if the property is implemented using getter and setter functions. This is a...

A flaky test is a test that is often green, but sometimes red. It may only fail on some PCs...

makandra dev

If you want Sidekiq to be able to talk to Redis on staging and production servers, you need to add...

This RailsCast demonstrated a very convenient method to activate VCR for a spec by simply tagging it with :vcr.

RSpec is smart when using the include-matcher in combination with .not_to. One could assume that .not_to include...

Event delegation is a pattern where a container element has a single event listener that handles events for all descendants...

The tree command will show you the contents of a directory and all its sub directories as a tree:

Rails has the handy controller method send_file which lets us download files easily. We can decide whether the file...

Given you have a strict CSP that only allows elements from your own domain: Content-Security-Policy: script-src 'self' This will block JavaScript handlers inlined as attribute into your HTML elements. Clicking on the following link will only log an error with a strict CSP: click me click me Solution 1: Move the handler into your JavaScript The recommended solution is to move the handler from the HTML to the allowed JavaScript file that we loaded via . In the example above we could invent a new [data-alert] attribute with the alert message: click me Then our JavaScript intercepts clicks on elements with that attribute: document.addEventListener('click', function(event) { let link = event.target.closest('[data-alert]') if (link) { let message = link.dataset.alert alert(message) event.preventDefault() } }) Solution 2: Allow that one handler in your CSP Some browsers allow the CSP directive script-src-attr. This lets you allow the hashes of actual JavaScript code. The SHA256 hash of alert('hello') is vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE= (in Base64). We can allow this one event handlers like this: Content-Security-Policy: script-src 'self'; script-src-attr 'unsafe-hashes' 'sha256-vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE=' Note the sha256- prefix. This event handler now works when clicked: click me But any other script will still be blocked: click me Dealing with legacy browsers Currently (November 2023) about 75% of browsers support script-src-attr. Here is a forward-looking compromise that many users use with new CSP features: Have a liberal CSP with old directives supported by all browsers Make your CSP stricter with new, more specific directives for browsers that support it The CSP spec supports that approach in that using newer, more specific directives disable older, more general features. In our case this means: For old browsers, allow all inline scripts For new browsers, disallow inline scripts but allow inline handlers with given hashes Here is a CSP directive that works like this: Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'unsafe-hashes' 'sha256-vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE=' Old browsers will only use script-src. New browsers will use script-src-elem (for tags) and script-src-attr (for inline event handlers), which override the more liberal rules from script-src. Solution 3: Don't use a strict CSP You can have a secure web application without a strict CSP. A Content Security Policy should never be your first line of defense against Cross-Site-Scripting (XSS). Your primary tool should be to escape and sanitize user input. Many template engines make it easy to do the right thing by escaping dynamic content by default. A CSP is a second security net. It's there when you slip up and somehow, somewhere don't sanitize user input. Depending on your project, you may decide to prioritize developer convenience over a strict CSP.

We had a card that described how to install multiple mysql versions using mysql-sandbox. Nowadays with the wide adoption...