Hardening websites with .htaccess

Always use latest php available from your hosting provider:

AddType application/x-httpd-php-latest .php

Using mod_rewrite:

<IfModule mod_rewrite.c>

RewriteEngine On

#Redirect HTTP to HTTPS:
RewriteCond %{HTTPS} off

RewriteRule (.) https://%{HTTP_HOST}%{REQUEST_URI}

#Disable compression:

RewriteRule ^(.)$ $1 [NS,E=no-gzip:1,E=dont-vary:1]

</IfModule>

Strict HSTS, CSP, XSFR headers:

<IfModule mod_headers.c>

Header set Content-Security-Policy "upgrade-insecure-requests"

Header set Referrer-Policy "strict-origin-when-cross-origin"

Header set Strict-Transport-Security "max-age=15811200"

Header set X-Frame-Options "DENY"

</IfModule>

Xubuntu and KeePassXC with no browserintegration (snap crap)

Having trouble connecting from browser on a freshly installed Xubuntu. My browser extensions in Firefox acted up. All because of snap is crap (in this regard anyways)

KeePassXC when installed in Xubuntu, uses “snap” and therefore the browser integration does not work. It has to go.

Remove the snap
Install the real thing. (Either by PPA for newest versions or normally with standard repositories.
The browser selection window is not visible in the snap version… but they are here. Enjoy.

Skype for Linux – unsigned – breaking template updates

Package skypeforlinux_8.62.0.83-1.x86_64.rpm is not signed

My daily patching of my Qubes fedora-32 template failed, and I just found our that Skype might be the reason. I tried starting skype, and found it to be requiring of an update:

Update, pretty please…

This proved faulty, since Microsoft might have given up on Skype, their last update was unsigned and broke updates on one of my fedora-32 templates.

Has the trainee Linux enthusiast been responsible for the full delivery?

Then I tried forcing the install, since I trusted the package origin, but I saw that the quality of the package might be below par(it does work, though), so I chose to part with Skype for now:

Updating / installing…
1:skypeforlinux-8.62.0.83-1 ################################# [100%]
Redirecting to /bin/systemctl start atd.service
Failed to start atd.service: Unit atd.service not found.

Goodbye Skype. Maybe we will meet again some day out of nostalgia alone.

Remember to remove the repo also, if you really mean it 🙂

/etc/yum.repos.d/skype-stable.repo

KeePassXC risk analysis based setup on fedora-30

Goal: If a new security vulnerability is found in KeePassXC(eg. 0-day), I would like to ensure the fastest possible update, risking the possibility of not being able to use the application.

By updating from an unstable repository, this can, of course, also introduce vulnerabilities, that has just not been detected yet.

I have decided to rather patch known vulnerabilities, using software with potential unknown vulnerabilities, rather than having unpatched known vulnerabilities. That is basically my risk analysis.

Also, if the application fails and is unusable, it might still be better using “forgot password” features, than using a piece of known insecure software. Depends on who you are, and what level you are comfortable with. Every decision needs to be risk based and subjective to the risk taker.

So, lets solely, enable KeePassXC packages, getting updates from a more unstable branch. Put this in your fedora-30 /etc/yum.repos.d/fedora-updates-testing.repo end of first paragraph:

adding “includepkgs=keepassxc”

This should be called the frog/rabbit method, since we are litterally jumping ahead of ourselves, just as the remark from Quentin Tarantino in “Four Rooms” movie, states.

And I need ALL testing packages, that actually works, ending up in stable. That’s a premise.

UPDATE: As Samuel Sieb described, it is important to have “–disableexcludes” on the commandline, every time you need to update a package from the testing repository. I just experienced, I could not update the 0-day emergency patch from mozilla to firefox, due to this.

SOLUTION: [user@fedora-30 yum.repos.d]$ sudo dnf upgrade –enablerepo=updates-testing –disableexcludes=updates-testing –advisory=FEDORA-2020-2713adc57f

Adding a newer AppVM template to the Disposable VM on Qubes 4.0

After installing Qubes 4.0, I’ve not actually used disposable vm’s as much as I should, but after Micah Lee showed me the Thunderbird plugin, I had to make a newer disp-vm template, than the old fedora-26 without libreoffice. Can’t open word documents without it, I’m afraid.

In Dom0:

qvm-prefs –set <AppVM to use as template> template_for_dispvms True

I have a personal-28 template to use for newer stuff, so that’s what I will use instead.

See the “Default DispVM “is changed from fedora-26 to Personal-28.

Donate to the Qubes-OS project

Howdy,

I just pledged $5, monthly to the Qubes-OS project:

You should absolutely do the same. Every little bit helps:

My first was KeepassXC: