Security Tutorials

  • AJAX For Evil: Spyjax with jQuery

    Last year I wrote a popular post titled AJAX For Evil: Spyjax when I described a technique called "Spyjax":

  • Disallow Robots Using Robots.txt

    I develop customer websites on a publicly accessible web server so that my customers may check the progress of their website at any given time. I could use .htaccess to require username and password for the site but then I'm constantly needing to remind customers what their password is. My big concern is preventing search engines from finding their way to my development server. Luckily I can add a robots.txt file to my development server websites that will prevent search engines from indexing them.

  • PHP, SSL, and cURL SSL3_GET_SERVER_CERTIFICATE Errors

    I recently developed a complex system for a customer that involved PHP, cURL, and a SSL connection to a third party vendor. The third party vendor would validate the security certificate of the source (the system I created) and either allow or reject access. My code looked like this:

  • SSLmatic: Quality, Cheap SSL Certificates and Giveaway!

    If you develop eCommerce websites or create applications that request sensitive user information, you're probably well aware of the advantages of using SSL certificates. For those that haven't, SSL certificates:

  • Email Protection with MooTools JavaScript

    Important Note: This article has been updated here.

  • Whitelisting: You Set The Rules For Security

    We all know what blacklisting is when it comes to strings: removing specified "bad" characters. While this helps to secure user input, it isn't as secure as whitelisting. Whitelisting is the process of saying "Let me tell you what you can give me" whereas blacklisting says "If I find this, I'll remove it."

  • AJAX For Evil: Spyjax

    With great power comes great responsibility. With every advancement in technology we face the threat of it being used for evil purposes. This is the case with AJAX. AJAX has a ton of great uses but one form of negative AJAX has taken life: Spyjax.

  • Tips for Protecting Querystring Keys & Values in PHP

    The easiest way to pass information to a page is by placing information in the URL. This, of course, is referred to as the querystring and the information in the querystring can be accessed by using $_GET['varname']. Simple, yes. Insecure, possibly. Here are some guidelines for managing querystring information.

  • .htaccess “Down For Maintenance” Page Redirect

    I recently needed to move one website from a shared web host to our internal server. After some discussion, we decided to simply add a "Site Down For Maintenance" page to the site to prevent users from submitting orders during the hosting change. Using the following .htaccess code snippet, we were able to send all users to a maintenance.html page no matter which page they requested:

  • Force Secure (SSL) Pages With .htaccess

    A while back, I shared a method for forcing a secure page using PHP. What if you want to force SSL (https://) on an entire website though? You don't want to have to put force-SSL PHP code on every page, right? Well, the website's .htaccess file comes to the rescue.