Categories
HTTP Tips & Tutorials Information Security Internet Tools Web Applications & Online Software

Make Firefox to Not Send HTTP Referer (or On a Per-Site Basis)

By default browsers such as Firefox sends the Referer information to the target URL in the HTTP header, as defined by HTTP protocol, so the destination URL / website knows where you have come from. For instance, when you click this link to one of my friends’ sites, it would know you have arrived at Princessly from this page:

https://www.kavoir.com/2012/08/make-firefox-to-not-send-http-referer-or-on-a-per-site-basis.html

Because Firefox sends this information in the HTTP header.

While this is very valuable data to many parties, such as the website owners (who can analyze traffic sources) and market analysts (who wants to know people’s interests and habits so as to sell well), it can be bad for our privacy because it is disclosing our browsing information to the websites we are visiting. You may want to disable Firefox from sending the referrer.

How to disable Firefox to send HTTP referrer?

Just type:

about:config

In your Firefox address bar and click “I’ll be careful, I promise!”.

In search, type:

referer

And an entry reading “network.http.sendRefererHeader” would come out with a value that’s 2 by default. Right click on the entry and click “Modify”. Input 0 and click OK.

Restart your Firefox, and now it should not send any referer information any more. And no website would ever know where you were before coming to them.

Not Send Referer on a Per-Site Basis in Firefox?

However, sometimes this may break something as legitimate sites are also using referer information to better serve you. There must be some sites that you don’t quite trust and wanted to disable referer for them.

Simple. Just use the RefControl add-on for Firefox.

After installation, you should see a tiny button on the Add-on Bar, at the bottom of the Firefox window. When you are at the website, click on the button and select “RefControl Options for This Site” and you will have this dialog box:

block referer in Firefox

Just select your intended option for this particular site. If you do not want to send any referer information to this site, just select “Block – send no referrer” and click OK.

That’s it. Now Firefox will send no HTTP referer information to this particular site but will keep sending it to all other sites.

Categories
CSS & HTML Tips HTTP Tips & Tutorials PHP Tips & Tutorials WordPress How To

Redirect 404 Error to Home Page

Other than making your 404 error page user friendly, you can redirect it to your index pages such as the homepage, sitemap, or search page, to make it useful for the users. Instead of relying on them to correct the error themselves, you offer the new orientation.

How to redirect a 404 error page to the home page?

There are essentially 3 ways to do this depending on the technology your site is built on.

The .htaccess and HTML solution

This works across all sites that are served by the Apache web server with .htaccess enabled. Add this line in the .htaccess file in the root directory of your domain:

ErrorDocument 404 /404.html

And in 404.html, add a meta tag in the HTML head section:

<meta http-equiv="Refresh" content="1; URL=http://www.example.com/">

So when there’s an 404 Not Found error the user would be first redirected to /404.html and in turn, he or she would be redirected to the homepage http://www.example.com/ (or whatever you change it to) by the meta Refresh actions.

The PHP solution

If you are using PHP to code your site, chances are you know this solution. You can always use the previous solution (The .htaccess and HTML solution) to redirect 404 error page to your home page on a PHP site, but you can also try the pure PHP approach instead.

Whenever a user types in a URL request that you do not recognize, render this:

header("HTTP/1.1 404 Not Found");
header("Location: /");
exit();

Which would redirect the user who has hit a 404 error to the homepage / or any other page URL you specify there.

The WordPress solution

If you are using WordPress for your site, make a 404.php file in your theme directory with the following content:

<?php
header("HTTP/1.1 301 Moved Permanently");
header("Location: ".get_bloginfo('url'));
exit();

WordPress would automatically use 404.php as the default 404 Not Found error page and when a user hits that page, he or she would then be taken to the home page your WordPress blog.

Categories
CSS & HTML Tips HTTP Tips & Tutorials

HTML: Make a Page Refresh Every xx Seconds

A quick tip for those who just started learning HTML. It’s possible to add a line of code in your HTML page so that it’s automatically refreshed every few seconds when loaded in the user’s browser.

To make the page automatically refresh itself every 60 seconds, just insert the following code in the <head></head> section of your HTML source code:

<meta http-equiv="refresh" content="60">

This would be very useful to display information that is constantly changing.

This can also be used to redirect the user from the current page to another, just specify the destination URL:

<meta http-equiv="refresh" content="30; url=http://example.com/">

Which would redirect the browser to http://example.com/ 30 seconds after finishing loading the current page.

Categories
HTTP Tips & Tutorials PHP Tips & Tutorials

PHP: How to distinguish values in $_POST or $_GET that are sent via HTTP requests and those that are set / assigned in the code

html form codeTo send parameters to a PHP script, you can either fabricate a form and post a few variables by the POST method or simply send a request of a URL full of GET value pairs. This way, in the server side PHP script code, you can retrieve these parameters sent from the client in $_POST or $_GET. The trick is, other than receiving the values from client requests, you can manually assign values to them in your code. For example,

<?php
$_POST['test'] = 100;
?>

Wherein $_POST['test'] can be used in any way possible as you can with one that is received from a HTTP request. But how can we know the posted ones from the assigned ones? The PHP function filter_has_var() is the answer. To check if a posted variable is really posted from a client request:

if (filter_has_var(INPUT_POST, 'test')) {
	// $_POST['test'] is posted from the client
} else {
	// $_POST['test'] is assigned locally
}

The same rule applies to $_GET. To make sure if a $_GET value is received by URL request:

if (filter_has_var(INPUT_GET, 'test')) {
	// $_GET['test'] is posted from the client by query strings in the URL
} else {
	// $_GET['test'] is assigned locally
}
Categories
HTTP Tips & Tutorials PHP Tips & Tutorials

PHP: How to detect / get the real client IP address of website visitors?

It may seem simple at first because most of us should be relying on the server side environmental variable REMOTE_ADDR solely for client IP addresses:

echo $_SERVER['REMOTE_ADDR'];

Yet it’s barely enough to get the real IP for a variety of circumstances such as when the user is visiting your website from a proxy server. To everyone’s surprise, there are a lot more environmental variables regarding client IP address than just the most straightforward one, REMOTE_ADDR. Consider this snippet in the attempt to detect the real source IP address of the request:

function get_ip_address() {
    foreach (array('HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key) {
        if (array_key_exists($key, $_SERVER) === true) {
            foreach (explode(',', $_SERVER[$key]) as $ip) {
                if (filter_var($ip, FILTER_VALIDATE_IP) !== false) {
                    return $ip;
                }
            }
        }
    }
}

It first searches through a series of possible environmental variables that may contain the client IP address and uses whichever that is set and then extract the potential IP value to be validated. After successful validation by the PHP5 filter_var() function, the value is returned. You better not change the order these variable names are placed in the literal array.

This approach is much more sophisticated than just looking at REMOTE_ADDR but it’s far from mess-proof because it relies on the HTTP header information which can be easily manipulated anywhere along the way the request is routed to your server / website.

Categories
Domains HTTP Tips & Tutorials

2 reasons you should host all static content on a different domain

That is, to host all static content such as ready-made images, scripts, style sheets on a different domain rather than the primary one that hosts the page of the current URL. For example, if you intend to add static images to the web page located at http://www.example.com/page.html, you should not place the images on www.example.com, instead, put them somewhere else such as example-static.com or static.example.com.

The first reasoning for this is that browsers load web assets one by one or sequentially from a single host. They will not start requesting and downloading the next asset until they are finished with the previous one from the same domain. Therefore, doubling the hosts or domains can accelerate the downloading speed by about 100% because browsers can simultaneously download stuff from 2 different domains.

Another reasoning is that if cookie or session is enabled on your website, the browser would send the session cookie every time it makes a request to the domain, which sort of is useless because it’s static content – the server doesn’t need the cookie at all to serve static content such as images. It’s not only a waste of bandwidth but also a waste of communication time. To avoid this, serve all static content from a domain that is not cookie enabled. For instance, if you have set cookie with example.com, you can host all static content at static.example.com, however, if you have enabled cookie by *.example.com instead of just example.com, you will need to register a whole different domain to host the static content to steer clear of the useless overhead.

Not much for a small site, but this would be a major improvement regarding user experience for established, popular websites.

Categories
HTTP Tips & Tutorials Linux Server Administration Tips

scp, rsync: Transfer Files between Remote Servers via SSH

Chances are you have a bunch of different hosts that are housing your website files, for the sake of data safety (never put all eggs in a single basket) and possibly some SEO advantage. If that is the case, you will infrequently come to the need to move some files from one host server to another. How does one do that?

Well the straight answers include downloading the files from the source host and then uploading it to destination one via FTP. It’s not much of a time-waster with small number of files, especially those small in size. However, if it’s an impressively large chunk of package, say, 4GB, or thousands of files, this’d be quite a daunting job that may very well take the better part of your day or even a few days.

The shortcut is to transfer those files directly from the original host to the other, via SSH. That is of course, if you have both hosts enabled with SSH.

scp Command

Log into the destination host via SSH and try the following command:

scp -r remoteuser@remote.host.com:/home/remoteuser/dir-to-be-transferred/. /home/localuser/backup

Wherein remote.host.com is the address of the source host and remoteuser is the SSH user (shell user) account that can read the remote directory to be transferred, namely /home/remoteuser/dir-to-be-transferred. The last argument is the local path that’s receiving the incoming files / directory.

The dot at the end of dir-to-be-transferred makes sure that all hidden files such as .htaccess are copied as well. Without the current directory sign (dot), hidden files are NOT copied by default.

You can also transfer a specific file:

scp remoteuser@remote.host.com:/home/remoteuser/mybackup.tar.gz /home/localuser/backup

As a matter of fact, scp works the exactly same way as an ordinary cp command except it’s able to copy files back and forth remote hosts. The “s” of “scp” stands for safe, because all the data transferred is encrypted on SSH.

It’s a great way to back up your valuable website data across multiple different hosts that are physically far away from each other. With the help of crontab jobs that do the regular backups automatically, this is even better than some of the commercial backup services.

rsync Command

The command of rsync is a more preferable option to scp for synchronizing stuff across different hosts because it compares differences and works incrementally, thus saving bandwidth, especially with large backups. For examples,

rsync -av --progress remoteuser@remote.host.com:/home/remoteuser/dir-to-be-transferred /home/localuser/backup

This would copy and transfer the directory dir-to-be-transferred with all its content into backup so that dir-to-be-transferred is a sub-directory of backup.

rsync -av --progress remoteuser@remote.host.com:/home/remoteuser/dir-to-be-transferred/. /home/localuser/backup

With an extra /. at the end of the source directory, only the content of the directory dir-to-be-transferred are copied and transferred into backup. Thus all the content of the directory dir-to-be-transferred are now immediate children of backup.

To make the transfer of a very large file resume-able, use the -P switch which automatically includes –progress:

rsync -avP remoteuser@remote.host.com:/home/remoteuser/large-file.ext /home/localuser/backup

So when the transfer is interrupted, run the same command again and rsync would automatically continue at the break point.

To specify the SSH port, such as 8023, just add:

 --rsh='ssh -p8023'

rsync automatically takes care of all hidden files, so there’s no need to add a dot at the end of the source directory.

To exclude a specific directory from being synchronized:

 --exclude 'not/being/transferred'
Categories
Apache Web Server Tutorials & Tips HTTP Tips & Tutorials PHP Tips & Tutorials

Apache, PHP: Get Client Browser HTTP Request Headers Information

Every HTTP requests made by any client web browsers to an Apache should conform to the HTTP specification and provide certain set of headers information for the server to parse and understand. Useful headers information that can be retrieved in PHP by function apache_request_headers() includes:

  1. User-Agent: Operating System, browser and its version number, …
  2. Accept-Language: Requesting client language
  3. Accept-Charset: Character set of the client

To get an array of the above client request headers information, just use apache_request_headers() function:

$headers = apache_request_headers();

And you’ll get:

Array
(
    [Host] => localhost
    [User-Agent] => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 GTB5
    [Accept] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    [Accept-Language] => en-us,en;q=0.5
    [Accept-Encoding] => gzip,deflate
    [Accept-Charset] => ISO-8859-1,utf-8;q=0.7,*;q=0.7
    [Keep-Alive] => 300
    [Connection] => keep-alive
    [Cache-Control] => max-age=0
)

Similarly, you can use apache_response_headers() to get the HTTP response headers information sent from your server to the client.

Categories
HTTP Tips & Tutorials PHP Tips & Tutorials

PHP: Send HTML Email (mail)

As we all know the simplest approach to create an email message and send it out is to use the php mail() function. A typical usage example would be:

mail('recipient@email.com', 'Subject Title', 'Message body goes here.');

However, as the mail() function sends emails in text/plain mime type by default, if you include HTML code in the message body, it would not be interpreted as HTML at all. Instead, all the tags and attributes are displayed as they are.

To work around this and send HTML email with PHP mail() function, you will have to modify the message mime type to text/html. In practice, use the mail() function with an additional argument to set arbitrary headers for the email message:

$to = 'recipient@email.com';
$subject = 'Purchase Successful!';
$message = '
<html>
<head>
	<title>Purchase Successful!</title>
</head>
<body>
	<p>Here are the order details:</p>
	<p> ... </p>
	<p><a href="http://www.example.com">back to store</a></p>
</body>
</html>
';

$headers  = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";

mail($to, $subject, $message, $headers);

Now the email dispatched to the recipient will have all the HTML in it working as expected.

Categories
HTTP Tips & Tutorials PHP Tips & Tutorials

PHP cURL: Fetching URL and Sending Request with Cookies

One of the things the remote web server inspects is the client cookie to know about the requester. If you need cURL to simulate a user browser that sends cookie information to the web server, you need the following options:

$c = curl_init('http://www.example.com/needs-cookies.php');
curl_setopt ($c, CURLOPT_COOKIE, 'user=ellen; activity=swimming');
curl_setopt ($c, CURLOPT_RETURNTRANSFER, true);
$page = curl_exec ($c);
curl_close ($c);

So, the HTTP request cURL sends out to www.example.com will take the cookie data with it, thus the remote script needs-cookies.php knows the information and determines that the request is sent from the user ellen’s web browser.