Archive for June, 2015

HSTS enabled!

Friday, June 19th, 2015

Hey everyone!

As noted in my previous post, I’ve finally switched my domain to HTTPS. I was reluctant to enable HSTS (HTTP Strict Transport Security) at first but after looking at this talk, I’ve decided to just go with the flow and enable it on CloudFlare:

hsts

Basically it means that, as of right now, you’ll always use HTTPS when visiting my website, even if you try and visit the old HTTP URL. This will occur not only because my Apache server is configured to automatically redirect you to the HTTPS version, but because your browser will automatically go to the HTTPS URL. Why will it do that? Because my site is now sending the HSTS HTTP header:

strict-transport-security:max-age=15552000; includeSubDomains; preload

Basically that header tells your browser: This is an HTTPS enabled website, always use HTTPS if you come back here. Please do this for this domain and all sub-domains for the next six months..

For now, as my site isn’t in the browsers HSTS preload list yet (I’ve just submitted it), you may visit this site once more using plain HTTP but as soon as your browser will see the HSTS HTTP header it’ll remember to always switch to HTTPS.

Why does HSTS matter? Because it will protect YOU against man-in-the-middle attacks.. not that this Website is sensitive in any way, but as a good Web citizen I have to do what I can, right? ;-)

I was hesitant to enable this because I’ve just signed up with CloudFlare and if they decide to drop their free subscription plan then it means that I’ll be forced to find either another similar solution or buy a certificate that I can install on my web host; in my case OVH doesn’t allow importing third party certificates and they charge about 50€ per year for that (which is wayyyyyyyy too much for a personal website).

The bet that I’m making by enabling HSTS now is simply that the free subscription model of CloudFlare will remain available for at least 2-3 years (hopefully much longer) and that in the meantime, given how Mozilla, Google major players and others are pushing for HTTPS everywhere, the overall accessibility/affordability of HTTPS for personal websites will have improved. If I’m wrong well then I’ll either pay if you show me enough love or shut this thing down ;-)


HTTPS everywhere

Thursday, June 18th, 2015

TL;DR CloudFlare is awesome, but don’t underestimate the effort required to fully switch your site to HTTPS

About time… That’s what I keep telling myself; my site won’t be considered insecure by default :)

I’ve finally switched this site to HTTPS and I must say that CloudFlare has made this extremely easy, straightforward and fast.

Now I’ll be able to have fun with Service Workers and other modern Web goodies that require HTTPS.

Here’s what I had to do in order to get the holy green padlock.

First I had to create a (FREE) account on CloudFlare. Once my account was created I entered the domain that I wanted to add and CloudFlare went about finding all the DNS zone entries it could find. That took about a minute and the result was correct.

Next, I had to modify my domain’s DNS zone name servers to replace the OVH ones by those of CloudFlare. It didn’t take long for the switch to actually take place. DNS replication ain’t the fastest of things.

And bam done.. or almost.


As I like tweaking stuff, I had to check out all the features provided by CloudFlare, and the least I can say is that the feature list included in the free tier is just plain impressive!

Here’s what I’ve enabled:

  • SSL w/ SPDY: SSL between clients and CloudFlare as well as between CloudFlare and OVH (although the certificate presented by OVH isn’t trusted it’s still better than nothing)
  • IP firewall: basic but nice given the price :p
  • Automatic minification of JS/CSS/HTML assets
  • Caching
  • Always online: awesome, they’ll continue to serve my static content even if the site goes down
  • A few other nice things

They also provide ways to purge their cached data and to enable a Dev mode that allows to access up-to-date resources, etc

In the future, if I’m convinced that I can keep my site HTTPS-enabled for long, then I’ll also enable HSTS.

I might also give their Rocket Loader feature a try…


Enabling HTTPS for my site is only the first part of the story; there were other changes I needed to make in order to get the almighty green padlock (TM).

I first needed to make sure that my visitors (you guys) visited the site using HTTPS, so I’ve updated my .htaccess file accordingly:

...

RewriteEngine On

# 2015-06-18 - Automatic redirection to https now that CloudFlare is enabled
RewriteCond %{HTTPS} off
# rewrite to HTTPS
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# rewrite any request to the wrong domain to use www.
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

...

With this, I have an automatic http to https redirection. Of course that isn’t going to protect you from MITM attacks but I’m not ready to enable HSTS just yet.


Next I had to update my WordPress configuration to ensure that all generated links use HTTPS (WordPress address & Site address URL).

This fixed a few issues with mixed content but not all of them. I had to go through all my template’s files to ensure that I was using https everywhere; namely I had hardcoded the URL of my FeedBurner RSS feed.


I also noticed that I was still getting errors in the console about mixed content and indeed my site was retrieving some resources using plain HTTP from other domains.

In order to fix this, I had to

  • use my very rusted SQL-fu to replace http by https at all the places it made sense in my posts (e.g., links to Google Photo images, links to my own site, etc)
  • modify one of my WordPress extensions to retrieve its scripts from Google’s CDN using HTTPS
  • get rid of an extension that was using iframes, swf objects and displayed warnings if Flash was missing (oh god..) =)

I also took the opportunity to configure CORS, also through my .htaccess:

...

RewriteEngine On
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods: "GET,POST,OPTIONS,DELETE,PUT"
...

...

And now, just look at this beauty:

Green beauty


Sublime Text plugins that I use

Monday, June 1st, 2015

TL;DR: I’ve started using Sublime Text as my default text editor, it is indeed awesome and I’ve compiled a list of the plugins that I find useful.

For a very long time, my text editor of choice has remained Notepad++ (NPP for friends). NPP is still great (it’s free and open source, it has tabs, extensions, syntax highlighting and some other goodies), but it’s not AWESOME.

I’ve been hearing about Sublime Text for a while now but never really took the time to try it out seriously. Moreover, the last time I checked I’ve noticed that it wasn’t free so I didn’t get any further. Although I do understand the reasons why some developers choose the lucrative path, I’m in general more inclined to use free and preferably open source software (why pay when you can get something just as good for free?).

So Sublime Text’s website URL was hidden somewhere in some dark corner of my bookmarks and was set to remain in there forever, until a Web designer at work gave me a quick demo which led me to reconsider it :)

The first word that now comes to my mind when thinking about Sublime Text is “polished”: the UI is really beautiful and that alone makes it very pleasing to use. Sublime has really neat text selection/edition features (e.g., column and multi-selection editing, auto-completion, …), support for many languages (syntax highlighting), uber fast search and navigation, tabs, macros, etc. I’m not going to list it all here as I’m pretty sure many people took time to do so already.

But even though the out-of-the-box feature-list is quite nice, it is far from enough to make me consider it worthy of replacing NPP which I’m very used to. Really getting to know an editor takes time and I only have that much available.

What really made me change my mind is the ecosystem of Sublime. Over time, as the community has grown, many developers have spent time to develop a ton of extensions, themes and color schemes for it. The package manager for Sublime is called Package Control and contains almost 3K packages, hence at least 100 are probably worth the try :)

Suffice to say, knowing this, I needed to go through the catalog and try out the most popular extensions. In doing so, I’ve realized that Sublime + extensions > NPP + extensions, which is why Sublime is now my default text editor. It’ll take me a few weeks/months to really take advantage of it, but I already enjoy it a lot.

I’m not going to explain here how to install the package manager or install packages; for that you should rather check out the following video.

Without further ado, here’s the list of extensions that I’m currently using along with a small description to give you an idea of why I consider each useful/relevant for productivity (assuming that you’re into software development that is ^^). I’ll create new posts whenever I discover new ones that are of interest.

General:

  • NPM: Easily interact with the Node Package Manager (NPM) from Sublime (e.g., install NPM packages, add project dependencies, …)
  • Gulp: Quickly execute Gulp commands directly from Sublime (I’ll talk about Gulp in a future post)
  • SublimeCodeIntel: Code intelligence and smart autocomplete engine. Supports many languages: JavaScript, Mason, XBL, XUL, RHTML, SCSS, Python, HTML, Ruby, Python3, XML, Sass, XSLT, Django, HTML5, Perl, CSS, Twig, Less, Smarty, Node.js, Tcl, TemplateToolkit, PHP (phew ^^)
  • BracketHighlighter: Highlight brackets in the gutter (bar left of the file contents); very useful to quickly see where any given code block ends
  • Git: Execute git commands directly from Sublime through easy-to-use contextual menus
  • Git Gutter: Show an icon in the gutter indicating whether a line has been inserted/modified or deleted (checked against HEAD by default)
  • SidebarGit: Add Git commands in the sidebar context menu
  • ApplySyntax: Detect file types and apply the correct syntax highlighting automatically
  • Alignment: Easily align multiple selections and multi-line selections
  • AutoFileName: Automatically complete filenames; very useful when referring to project files (e.g., src for an image tag, file name for a CSS import, …)
  • TrailingSpaces: Easily see/remove trailing whitespace (if you’re crazy like me about small details). Check out the options here
  • SublimeLinter: A plugin that provides a framework for linting code in Sublime. Basically this one is a pre-req for some neat plugins (see below). Check out the docs for more information
  • FileDiffs: Show diff between current file or selection(s) in the current file, and clipboard, another file or unsaved changes
  • SidebarEnhancements: Better sidebar context menu
  • ExpandTabsOnSave: Automatically convert tabs to space (or the other way around, depending on your indentation settings)
  • Open Folder: Add an ‘Open folder’ option to the sidebar context menu
  • Pretty JSON: Prettify JSON, validate JSON, etc
  • Indent XML: Fix XML and JSON files indentation
  • JSONLint: JSON linter; checks JSON files for errors and display them in context
  • EditorConfig: Useful to respect the editorconfig file (.editorconfig in the project) which defines a common configuration for text editors
  • Dockerfile Syntax Highlighting: Add syntax highlighting for Dockerfiles

Web development

  • Emmet: Add zen-coding support to Sublime. (e.g., write div*2>span.cool*5 then hit TAB). Emmet is awesome (note that plugins exist for various editors, not only Sublime). Emmet allows me to quickly generate a ton of HTML code without wasting time
  • TypeScript: Add syntax highlighting and autocompletion for TypeScript code
  • JSCS: Check JS code style using node-jscs. To be able to use this you first need to install NodeJS, NPM then JSCS (npm install -g jscs). Check this link out for the complete list of rules that you can configure. Here’s an example from my latest project
  • JSCS-Formatter: Format JS code based on the JS code style that you’ve configured for your project (i.e., through the .jscsrc file) which is pretty neat
  • SublimeLinter-jshint: JSHint linter for SublimeLinter. Shows you what’s wrong with your JS code (requires SublimeLinter
  • SublimeLinter-csslint: CSS linter for SublimeLinter. Shows you what’s wrong with your CSS code (requires SublimeLinter)
  • SublimeLinter-annotations: Make TODOs FIXMEs etc stand out (requires SublimeLinter)
  • Sass: Sass support for Sublime. Adds syntax highlighting and tab/code completion for Sass and SCSS files. It also has Zen Coding shortcuts for many CSS properties
  • SCSS snippets: Additional SCSS snippets (use tab for autocompletion)
  • CSS3: Add CSS3 support. This plugin includes draft specs and provides autocompletion for each and every CSS3 property. It also highlights bad/old CSS
  • Color Highlighter: Highlight hexadecimal colorcodes with their real color. Here’s a small tip; in the plugin configuration (ColorHighlighter.sublime-settings), it’s possible to enable permanent color highlighting, which I find particularly convenient: { “ha_style”: “filled” }
  • Color Picker: What the name says ;-)
  • Autoprefixer: Add CSS vendor prefixes. This plugin is useful for small prototypes but is otherwise better done through a build process (e.g., using Gulp)
  • HTML5: Snippets bundle for HTML5. Useful to add HTML5 tags/attributes (e.g., type <time then hit TAB)
  • JavaScript Snippets: JavaScript snippets: useful to quickly write JS code
  • AngularJS: AngularJS code completion, code navigation, snippets
  • jQuery: jQuery syntax highlighting and autocompletion (snippets)
  • DocBlockr: Add support for easily writing API docs

Visual candies

  • Seti_UI: Awesome theme with custom icons for file types
  • Schemr: Color scheme selector. Makes it easy to switch color schemes
  • Themr: UI theme selector. Makes it easy to switch themes
  • Dayle Rees colour schemes: A ton of color schemes (.. that I’ll probably never use now that I have Seti_UI :p)

As I’ve explained in previous posts, I’m now busy with the creation of a new version of this website using more modern technologies.

With my current set of Sublime Text plugins, I now almost have a full-featured Web-development-oriented IDE at my disposal. For my current/specific development needs, Jetbrain’s WebStorm (commercial IDE) is actually a better alternative (it supports many of what the plugins above bring and has its own plugin repository) but it’s overkill to use it as my all-around text editor and my wife probably won’t appreciate the 50$/y license cost (even though very reasonable) :)

For casual text editing, quick prototyping etc, Sublime Text wins hands down given how fast it starts and how reactive it is overall.

Note that there is another interesting editor called Atom. Atom has been developed by GitHub and is free and open source. Its engine is based on Web technologies (I assume WebKit, Chromium or the like) which is great for hackability and it is gaining a lot of momentum (it has already >2K plugins). I think that it’s still a bit young so I’ll check back in a year or two.. but don’t take my word for it. Try it out and don’t hesitate to tell me if you think it’s actually better than Sublime (and why) =)