Standard

Aus wiki.terrax.net
Wechseln zu: Navigation, Suche

Programming

Use Rust, a memory-safe language from Mozilla. It's used for Servo, a maximum parallelizing web browser currently in development and written in Rust by Mozilla Research and the community, which gets more and more integrated in Firefox.

Server

DNS

Authoritative

Resolver

HTTP

Headers

  • Content-Security-Policy (CSP) (CSP2) (CSP3)
    • high (self): "Content-Security-Policy: default-src 'self'; object-src 'self'; form-action 'self'; frame-ancestors 'self'; block-all-mixed-content; disown-opener; plugin-types application/pdf;"
    • medium (self unsafe-inline/eval): "Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data:; object-src 'self'; form-action 'self'; frame-ancestors 'self'; block-all-mixed-content; disown-opener; plugin-types application/pdf;"
    • low (self 3rdparty unsafe-inline/eval): "Content-Security-Policy: default-src 'self' data: https: 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; object-src 'self'; worker-src 'self'; form-action 'self'; frame-ancestors 'self'; block-all-mixed-content; disown-opener; plugin-types application/pdf;"
    • https://report-uri.io/home/generate
  • referrer-policy: same-origin (or "referrer-policy: no-referrer")
  • Strict-Transport-Security: "max-age=3153600000; includeSubDomains; preload" (RFC 6797)
  • Public-Key-Pins (RFC 7469)
  • Set-Cookie: __Host-key=value; Path=/; HttpOnly; Secure; SameSite=strict (SameSite-Draft)(__Host-Draft)
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: SAMEORIGIN
  • X-XSS-Protection: 1; mode=block
  • Link (Link prefetching)

HTTPS

  • 301 redirect from http:// to https://
  • HSTS Preloading
  • TLS: TLS 1.2 (RFC 5246)
  • ECDSA: secp384r1 with SHA384 (or secp521 with SHA512 but not for Google Chrome/IE/Edge)
  • ECDHE: secp521:secp384r1
  • Cipher: ECDHE-ECDSA-AES256-GCM-SHA384, but also still TLS_ECDHE_ECDSA_AES_128_GCM_SHA256 (P-384) for Googlebot :(
  • Reduce TCP Keepalive

PHP

/etc/php/7.0/fpm/php.ini

[PHP]
openssl.cafile = /etc/ssl/certs/ca-certificates.crt

disable_functions = mail,
pcntl_alarm,
pcntl_fork,
pcntl_waitpid,
pcntl_wait,
pcntl_wifexited,
pcntl_wifstopped,
pcntl_wifsignaled,
pcntl_wexitstatus,
pcntl_wtermsig,
pcntl_wstopsig,
pcntl_signal,
pcntl_signal_dispatch,
pcntl_get_last_error,
pcntl_strerror,
pcntl_sigprocmask,
pcntl_sigwaitinfo,
pcntl_sigtimedwait,
pcntl_exec,
pcntl_getpriority,
pcntl_setpriority
;remove linebreaks above and this comment

arg_separator.input = ";&"
default_charset = "UTF-8"

[Session]
session.save_handler = files
session.use_strict_mode = 0
session.use_cookies = 1
session.cookie_secure = 1
session.use_only_cookies = 1
session.name = __Host-PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly = 1
session.serialize_handler = php
session.referer_check =
session.entropy_length = 512
session.entropy_file = /dev/urandom
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = sha512
session.hash_bits_per_character = 6

[opcache]
opcache.enable=1

Browser

User Agents

  • CSRF defense: Support for
  • Support for ECDHE-ECDSA-AES256-GCM-SHA384
    • Firefox 49: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp521r1)
    • Chrome 51: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp384r1)
    • SCHANNEL (Windows): TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp384r1)

Addon

Network

  • No 3rd-party resources (except AdSense)
  • IPv6
  • No Port 80

Caching

HTML

<?xml version="1.0" encoding="utf-8" standalone="yes"?><!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="de">
	<head>
		<meta charset="utf-8"/>
		<meta name="keywords" content=""/>
		<meta name="description" content=""/>
		<meta name="robots" content="noindex,nofollow,noodp,noarchive,noimageindex,noydir,nocache"/>
		<!--<meta name="referrer" content="no-referrer"/>-->
		<meta name="theme-color" content="#342546"/>
		<meta name="application-name" content="TerraX.net"/>
		<meta name="author" content="TerraX.net e.V."/>
		<title>Welcome</title>
		<link rel="icon" type="image/png" sizes="180x180" href="icon.180x180.png"/>
		<link rel="icon" type="image/png" sizes="32x32" href="icon.32x32.png"/>
		<link rel="icon" type="image/svg" sizes="any" href="icon.svg"/>
		<link rel="alternate" type="application/rss+xml" title="RSS Feed" href="feed.rss"/>
		<link rel="alternate" type="application/atom+xml" title="Atom Feed" href="feed.atom"/>
		<link rel="search" type="application/opensearchdescription+xml" title="TerraX.net" href="search.xml"/>
		<link rel="stylesheet" href="../_static/style.css"/>
		<base href="/de/"/>
	</head>
	<body>
		<header>
			Use <br/> like this.
		</header>
		<main>
			<article>
				<p>Hier ist ein <a target="_blank" rel="noopener noreferrer" href="https://eu.startpage.com/deu/" title="Externer Link">externer Link</a>, den wir empfehlen.</p>
				
				<video controls="controls">
					<source type="video/mp4" src=""/>
				</video>
			</article>
		</main>
		<footer>
		</footer>
		<script defer="defer" src="../_static/script.js"/>
	</body>
</html>

Head

  • DNS Prefetching (only for AdSense):
<link rel="dns-prefetch" href="//pagead2.googlesyndication.com"/>
<link rel="dns-prefetch" href="//tpc.googlesyndication.com"/>
<link rel="dns-prefetch" href="//googleads.g.doubleclick.net"/>

Style

  • Minified CSS
  • "below the fold" CSS at end of page
  • load fonts inside <head>
  • No inline styles (<style>.bold {font-weight:bold}</style>)
  • No browser-specific styles (-webkit prefix), we may argue about this
  • No data:
  • use flex for responsive sites!
  • CSS Grid Layout: caniuse, implementation bugs

Script

  • Minified JS
  • Defer JS <script defer src=""></script>
  • No inline scripts
  • only use self-hosted JS files
  • JS at end of page
  • No data:
  • No eval()
  • Maybe subresorce integrity

Images

Font

  • No data:
  • only woff2 format

Video

  • webm/vp9 format
  • mp4/h264 for live streaming: MPEG DASH, (and HLS for Apple Devices)
    • Maybe only HLS over nginx + hls.js (because of bad codecs (mp3) with nginx-rtmp-module's MPEG DASH implementation)

Object

  • No plugins (Flash, Silverlight, Java, etc.)
  • Maybe PDF (prevent that)
    • CSP example: object-src 'self'; plugin-types application/pdf;
    • or the HTTP-Header "Content-Disposition: attachment" here to force that PDF to be downloaded to disk, so we can use "object-src 'none'" in the Content-Security-Policy?