Web Development Notes

  There is a certain set of standard HTTP headers that every website should ideally set to provide a basic level of security. This note discusses such headers and how to set them on sites deployed in Netlify. Common security headers First, let’s consider basic HTTP headers - they are common to all requests and provide a basic level of security. The Content-Security-Policy header helps protect your website from cross-site scripting attacks by providing a list of approved content. This header allows you to prohibit the use of content that does not pass the rules or should not be used as content. Setting this header may seem complicated, so if you want to delve into the topic, visit the official website. Example usage: Content-Security-Policy: default-src 'https://example.com'; script-src 'unsafe-inline' 'https://example.com'; style-src 'unsafe-inline' 'https://example.com'; object-src 'none' The X-Frame-Options header tells the brow...

Block bad users based on their User-Agent string Sometimes your website can be attacked from different IP addresses and it is impossible to block all such users. If there is fixed user-agent in the request, you can block such access using the following rule: Block multiple bad User-Agents: <VirtualHost  XXX.140.234.34:80 >     ServerName www.example.us     LogLevel debug     ErrorLog /var/log/apache2/example.log     CustomLog /var/log/apache2/example.log combined     AddDefaultCharset utf-8     RewriteEngine On     # Block requests from Amazonbot - this rule sends a 403 Forbidden response ([F]) and stops processing further rewrite rules ([L]).     RewriteCond %{HTTP_USER_AGENT} Bytespider|ClaudeBot [NC]     RewriteRule ^ - [F,L]     RewriteCond %{SERVER_NAME} XXX.140.234.34     RewriteRule /(.*) http://www.example.us/$1 [R=301,L]     LimitRequestBody...