Added in MSIE8 and Mozilla Firefox 3.6.9, Apple Safari 4, IE8, and Google Chrome 2 are several mechanisms to defend against cross-domain forgeries.
Supported Values:
X-FRAME-OPTIONS: DENY
X-FRAME-OPTIONS: SAMEORIGIN
You can explicitly set this value for ApacheHTTP in the httpd.conf file, your .htaccess files or code it into the page(s) by the application itself.
This is a concept I had forgotten about until recently, it can often serve as a simple means of code obfuscation and is also sometimes referred to as “Decimal Address”.
Some background:
As such, you can use the following as equivalents:
REFERENCES:
Here’s a useful trick for minimizing server HTTP connections, unfortunately it’s not universally supported so you will need to provide alternate methods for non-supporting browsers (such as MSIE).
This works by placing the content of the image into the URL itself, as such there’s no need to open up a new server connection and no extra caching at any tier.
<img src=”data:image/gif;base64,R0lGODlhEAAOALMAAOazToeHh0tLS/7LZv/0jvb29t/f3//Ub/ /ge8WSLf/rhf/3kdbW1mxsbP//mf///yH5BAAAAAAALAAAAAAQAA4AAARe8L1Ekyky67QZ1hLnjM5UUde0ECwLJoExKcppV0aCcGCmTIHEIUEqjgaORCMxIC6e0CcguWw6aFjsVMkkIr7g77ZKPJjPZqIyd7sJAgVGoEGv2xsBxqNgYPj/gAwXEQA7″ alt=”embedded folder icon” width=”16″ height=”14″ />
I spend a LOT of time trying to optimize web applications to run and appear as fast as possible, one of the most valuable tools I have in my “bag of tricks” is the YSlow! plugin for Firefox.
It integrates in the browser and gives a near real-time scoring of the pages you visit and suggestions on how to improve them. While some of the suggestions are not practical (for example: use of a CDN) the bulk of them can be applied to your application code or server with a little bit of work.
The rules and scoring mechanisms are well documented at the following website:
http://developer.yahoo.com/performance/
The YSlow! plugin is available here:
http://developer.yahoo.com/yslow/
Happy… Faster Surfing!
I’ve found that a large percentage of Internet users don’t realize just how they are being tracked on a website. Most people are aware of HTTP Cookies, but very few realize that browser plugin technologies like Adobe Flash also maintain data about a user’s activities. Worse yet, while HTTP Cookies are limited to 4k, Flash can store up to 100k per website.
Clearing of standard HTTP cookies is relatively easy to do in mainstream browsers. However, while Flash is almost ubiquitous, it’s settings are not easy to locate… in fact you cannot even find them in your browser or computer settings, you have to visit a website!
When you visit this link you will first see the sites and amount of data they have stored about you,
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager06.html
Secondly, if you look on the other tabs or follow the next link you’ll be able to control Flash access to your microphone and webcam (provided that you have them connected).
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html
Other tabs will allow you to control various settings related to updates and global security settings, as documentation is provided for each tab it should be relatively easy for you to decide which configuration you prefer in each case.
FYI – I can see some real potential for misuse of these settings if they could be altered externally by a motivated hacker.
References:
Cheers!
Okay, so this is a little odd. This does not effect the language or direction of the website, but instead is a measure to ensure proper encoding of the CSS file itself.
The browser will generally rely on the HTTP Headers to determine this value, but in cases where the server or application configuration does not, you can provide the equivalent in the file itself.
WARNING: This needs to be the first line of the .css file, before any spaces or comments.
Example:
@charset “UTF-8″;
Other common value:
@charset “ISO-8859-1″;
Reference:
http://www.w3.org/International/questions/qa-css-charset
Cheers!
I spend a lot of my time tweaking the performance of web applications, in addition to optimizing code it’s also necessary to verify that your server settings are also optimized for network performance to reduce bandwidth usage and thus client response times.
NOTE: This is a tradeoff between CPU and network performance, it works by compressing the content on the server just before it is sent over the wire…. when the client receives it, it then also spends some of it’s resources to decompress the content.
The Apache HTTP server provided mod_deflate (for 2.x) or mod_gzip (for 1.3).
Here’s a quick start as well as a few references:
In httpd.conf:
1. Uncomment the module:
LoadModule deflate_module modules/mod_deflate.so
2. Add the following (modify if required):
<IfModule deflate_module>
#AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript
AddOutputFilterByType DEFLATE text/*
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
#AddOutputFilterByType DEFLATE application/x-javascript<Location />
# Insert filter
SetOutputFilter DEFLATE# Netscape 4.x has some problems…
BrowserMatch ^Mozilla/4 gzip-only-text/html# Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4\.0[678] no-gzip# MSIE masquerades as Netscape, but it is fine
# BrowserMatch \bMSIE !no-gzip !gzip-only-text/html# NOTE: Due to a bug in mod_setenvif up to Apache 2.0.48
# the above regex won’t work. You can use the following
# workaround to get the desired effect:
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html# Don’t compress images or ZIP/GZ/7Z
SetEnvIfNoCase Request_URI \
\.(?:gif|jpe?g|png|zip|7z|gz)$ no-gzip dont-vary# Make sure proxies don’t deliver the wrong content
Header append Vary User-Agent env=!dont-vary
</Location>
</IfModule>
REFERENCES:
Cheers!
This can be used to for several reasons:
Changes can be accomplished in the Apache2 ‘httpd.conf’ file.
LoadModule headers_module modules/mod_headers.so
<IfModule headers_module>
Header append MyHeader “%D %t”
</IfModule>
<IfModule headers_module>
Header set Server “ScottServer 1.0″
</IfModule>
Cheers!
REFERENCES:
This is a HUGE topic, I’ve outlined some simple steps below as well as my initial configuration for you to start with…
NOTE: this is for simple ’static’ content such as images, additional work is required for dynamic (program generated) content, such as that generated in PHP.
1. In ‘httpd.conf’ make sure the following line is uncommented.
LoadModule expires_module modules/mod_expires.so
2. In ‘httpd.conf’ add the following:
ExpiresActive On
### Expire images 1 day from when they’re accessed
ExpiresByType application/java-archive “access plus 1 day”
ExpiresByType image/gif “access plus 1 day”
ExpiresByType image/png “access plus 1 day”
ExpiresByType image/jpg “access plus 1 day”
ExpiresByType image/jpeg “access plus 1 day”
ExpiresByType image/x-icon “access plus 1 day”
ExpiresByType text/css “access plus 1 day”
ExpiresByType text/javascript “access plus 1 day”
ExpiresByType text/xml “access plus 1 day”
ExpiresByType application/xml “access plus 1 day”
ExpiresByType text/plain “access plus 1 month”
3. (Optional) Set default expiry of content in ‘httpd.conf’:
### Expire everything else 1 day from when it’s last modified
ExpiresDefault “modified plus 1 day”
NOTE: These we’re my original settings, you may want to add attitional MIME type and expiry configurations particular to your web content.
REFERENCES:
I found this several years ago, and ‘most’ of my websites implement this standard.
While “http://” implies IP Port 80, and “https://” implies IP Port 443, the payload of such traffic is no longer limited to HyperText (the “HT” in HTTP). To support future protocols, it is advised that websites not force this upon future implementations of the IP stack.
Unfortunately, there is ONE case that implementation of this process can cause your websites. If you run on non-standard ports (or use HTTPS), you’ll still need the protocol (”http:” or “https:”) on the links used to swap protocols.
Obvious advantage here is that all of your links can be shortened.
More information is available at:
Cheers!