- Personal website of Tess Sluijter

Unimportant background
  RSS feed

About me

Blog archives























> Weblog

> Sysadmin articles

> Maths teaching

Homebrew CMS security issues

2021-08-23 21:22:00

Back in early 2019 I first learned how to properly apply CSP to my site's code. It was a very educational learning experience and by the end of it I managed to score an A+ in Mozilla's Observatory (which does compatibility and security checks on your site). 

Imagine my surprise when earlier today I learned that A) my CSP wasn't being used anymore, the header wasn't even set and B) my Observatory score had dropped to an F! Wow, what happened?!

It turns out that Dreamhost's PHP wasn't using my .htaccess file anymore, on the PHP 7.3 setup that it was running. A switch to PHP 7.4 with their FastCGI setup and we're back in business. 

Also, hooray for the CSP Evaluator tool!

That'll teach me to regularly scan and check my own site. :|

I was prompted to go check out my own CSP settings, thanks to Scott Helme's recent post -> I turned on CSP and all I got was this crappy lawsuit tags: ,

View or add comments (curr. 0)

Homebrew CMS security improvements

2019-02-02 21:07:00

Did you know that Mozilla offer a great resource called Observatory? This tool scans your website and provides you focused instructions on how to improve the basic security of your site. It'll help you prevent the most common causes for XSS, CSRF and more! With about an hour's work, I've taken my site from an F score to A+ :)

Now, it's been ages since I've first started work on this website of mine. Can't properly recall when I first started, but it's been at least tens years since version 1.0. I will readily admit that I'm an utter, utter hack: self-taught, borrowing code left and right, just trying to get things work. Along the way I've picked up security lessons, mostly on how to prevent SQLi and XSS. And now, thanks to Observatory I've learned more! 

Mozilla's web security guidelines document has been a great help! Until this week I'd never heard of HSTS or CSP, so I've taken time to improve my site's security posture. This included properly sourcing my own Javascript and diking out a lot of the JS I'd been sourcing externally (reCaptcha, Google Analytics, etc), just because they were dead weight to me. I had heard about SRI before through Troy Hunt's excellent article about Javascript supply chain security.

Anywho. It's been a learning experience! This little blog of mine ain't pretty, nor very exciting, but it's my little home and it makes a nice testbed to practice coding.

Some useful resources that helped me along: tags: ,

View or add comments (curr. 0)

Getting with the times: website renovation

2017-01-19 22:18:00

It's been roughly eight years since I started work on KilalaCMS, the code that runs this website. She's served me well and I haven't had many headaches. Early on, Dick offered me lots of great help in sanitizing input, putting up at least some SQL injection protection. In the end it might not be much to look at, but she's mine :)

A few months back Dreamhost sent their customers who were still on PHP5.5 a warning that said version would soon be dropped from their servers. Thus, it was a warning to go check your code. Obviously KilalaCMS was behind the times, so I've now taken some time to adjust things here and there so it works in PHP7.0. I've also taken the liberty to default everything to HTTPS, using a free SSL cert from Lets Encrypt. Dreamhost took care of the latter part for me. Good service!

I may run into a bug or two, but so far things are looking good!

EDIT: Kudos by the way to Dreamhost for their tech support! As part of the reno, I'd decided to run an "sqlmap" test against my DEV site, to make sure I wasn't leaving SQLI in plain sight. After the first tentative probe, the server slammed the door on my nose! They've got their boxes set up quite nicely, to prevent attacks like these. Nice! Had a chat with their support people and we worked out a nice way for me to test, without affecting my site or any of the other folks hosted on my box. tags: , ,

View or add comments (curr. 0)

Public and private parts of this site

2013-07-24 23:38:00

As I wrote earlier I have decided to clamp down on what is publicly published about our lives. This means that >80% of my blog has been turned into a private affair, with only work-related materials still being available to the whole world.

Now that my Macbook has crashed and I need to spend a lot of time waiting for the backups to restore, I have spent roughly eight hours updating my CMS code. It was an interesting learning experience and now this site has a basic login/logout functionality. Logging in will simply let you see the website in all of its original glory.

If I haven't contacted you yet about a username+password and you'd like one, drop me an email. tags: , , ,

View or add comments (curr. 0)

Contacting Thomas Sluyter

2007-08-19 19:35:00

Recently we've been getting a lot of spam in our e-mail boxes, thanks to various bots grabbing our mail addresses from our contact pages. That's why we decided to put all the info in a .JPG instead. Sorry for any inconvenience.

Of course I also have a LinkedIn profile.

If you would like to send me an encrypted email, or if you would like to verify a signed email I sent you: here is my public PGP key

Contact info for Thomas tags: , ,

View or add comments (curr. 13)

Nagios Conference, aftermath

2006-09-24 09:04:00

So I made it back home in one piece. My trip back took me around 7.5 hours, which was mostly due to me driving a little bit faster :p

I have to say that the A45 route up north is much less glamorous than the A3 :( The Rast Hofe all look much older and less fancy than the ones on the A3. Ah, but they sufficed anyway...

I'm thinking of moving my summaries from the previous blog posts into one big page in the Sysadmin section. Reckon that should prevent Google from raising the Archives above the Sysadmin section when it comes to Nagios.

/me starts immediately. tags: , , , ,

View or add comments (curr. 0)

Listen up. Here's da plan...

2006-08-08 16:52:00

Because I've got all kinds of things lined up for me to do, I'm going to put them into order. That way both you and I will know what to expect. Here's my priorities:

1. Make the requisite changes to my website, so that it plays nicely with search engines. This shouldn't be more than an evening or two of work (barring any reruns of Doctor Who on BBC3).

2. Study for my two LPIC1 exams.

3. Revive the manga and anime section of the website. This needs regular updates, so I'm going to have to think of a few nice things to add to this. I'm thinking "reviews"... It's also meant to give me a couple of days off between studying for my four exams.

4. Study for my two LPIC2 exams.

5. Move other parts of the website into the mySQL database as well.

6. Improve the PHP code that gets data from the database. It could be much cleaner, safer and efficient.

7. Build some form of CMS for myself, so I don't have to work in the database manually.

So there you have it boys! The next few months of my life lined out for ya.

Parallel to da plan I will keep on expanding the Sysadmin section with new stuff I discover every week. And I will try to fit in a week or two of vacation somewhere along the line. I have a big bunch of video games that I finally want to finish! tags: , , ,

View or add comments (curr. 0)

All work and no play...

2006-08-01 11:49:00

Busybusybusy, that's what I've been. I've been adding all kinds of new stuff to the Sysadmin section, telling you everything you'd like to know about monitoring Solaris and Sun hardware through SNMP.

I don't have much interesting to tell to the non-admin people right now :) Better luck at a later point in time. tags: , ,

View or add comments (curr. 0)

Older blog posts