Author Archives: vgorbic1

Agility Concept

What to do
– Find out where you are
– Take a small step towards your goal
– Adjust your understanding based on what you learned
– repeat
How to do
– When faced with alternatives that deliver the same value, take the one that makes future changes easier.
Agile is Dead

Addressing Cross-Site Request Forgery

Cross-site Request Forgery (CSRF, XSRF, or Sea Surf) is attempt to trick a victim into making an HTTP request that the victim did not intend to make and a forged request is sent to the web server. Upon sending the request, the browser includes the Cookie header with a session identifier.

Prevention
When a user submits an authenticated request that requires a Cookie, the anti-CSRF token should be included in the request. The application verifies if token is valid or existed and if not, the request is rejected.

Implementation in PHP:

// index.php
<?php

//start session
session_start();

//create a key
if (empty($_SESSION['key']))
  $_SESSION['key'] =  bin2hex(random_bytes(32));

//create cdrf token
$csrf = hash_hmac('sha256', 'string of data', $_SESSION['key']);

//validate token on submit
if (isset($_POST['submit'])) {
  //check if token is the same
  if (hash_equals($csrf, $_POST['csrf']))
    echo "Username is " . $_POST['username'];
  else
    echo "CSRF token failed!";
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <meta http-equiv="X-UA-Compatible" content="ie=edge">
  <title>Validate CSRF</title>
</head>
<body>
  <form method="post" action="index.php">
    <input type="text" name="username" placeholder="your name" />
    <input type="hidden" name="csrf" value="<?php echo $csrf ?>" />
    <input type="submit" name="submit" value="Submit">
  </form>
</body>
</html>

Force my Website to use SSL

To force a specific domain to use HTTPS, use the following lines of code in the .htaccess file in your website’s root folder:

RewriteCond %{HTTP_HOST} ^sitedomaingoeshere\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.sitedomaingoeshere\.com$
RewriteRule ^/?$ "https\:\/\/sitedomaingoeshere\.com\/" [R=301,L]

Plug in Modules in JavaScript

In JavaScript there is different types of modules. You have Common JS modules, that NodeJS uses by default without even using Bable transpiler. Also there is ES2015 modules with a different plugin syntax. Both are used to bring in modules which can be other JavaScript files, but you also can bring in modules that are installed with NPM.

Common JavaScript modules

Create a simple js file named ‘mymodule.js’:

// make everything in this file available for the other files
module.exports = {
  name: 'Vlad',
  email: 'test@test.com'
}

In the app file bring this module file in:

const person = require('./mymodule'); // no .js extension!
console.log(person.name);

If you bring in a node module into you app use this:

const person = require('express');

ES2015 JavaScript modules

A slightly different syntax is used for ES2015+:

export const person = { //this variable can be accessed from other files
  name: 'Vlad',
  email: 'test@test.com'
}

In the app file bring in this module:

import { person } from './mymodule';
console.log(person.name);

If you need to import several variables/functions from one file:

import * as mod from './mymodule';

Exporting default object

The module file:

const greeting = 'Hello';
export default greeting;

In the app use no curly braces:

import greeting from './mymodule';
console.log(greeting);

Calculate person’s age from the date of birth

To calculate a person’s age from the date of birth use vanilla JavaScript:

function Person(dob) {
  this.birthday = new Date(dob);
  this.calculateAge = function() {
    const difference = Date.now() - this.birthday.getTime();
    const ageDate = new Date(difference);
    return Math.abs(ageDate.getUTCFullYear() - 1970);
  }
}
const person = new Person('9-10-1990');
console.log(person.calculateAge());