I AM LISTENING TO
|
WAS ICH LIEBE
  • en
  • de
BLOG FILTER

Development today relies on multiple teams, services, and environments all working in unison. A topic that always comes up, when setting up a new development environment: How do we secure important credentials, while not making it too complicated for the rest of the team?

The key when working with version control systems like Git, is to keep any type of credentials out of the versioning system. These can be API keys, database or email passwords.

Even if its a private repository, development environments might change. It can be a simple staging & live website setup you are maintaining.

.env Files for Environment Variables

The simplest way in PHP is to use .env files to store your credentials outside of the public accessible directory structure. So outside the public_html, but still within the reach of the executing environment to read it. Variables are accessible through $_ENV['yourVar'] or getenv("yourVar"), once included in your code.

To make it simple you can use the popular package vlucas/phpdotenv, which reads and imports the file automatically.

Don’t fool yourself, if an attacker finds a way into your system, these variables can be easily read. This is just hiding the file from public access and provides some convenience while developing or sharing code.

Encrypted .env files

Some people propose to encrypt / decrypt environment variables using a secret key. But if an attacker can access your data, he can also find the secret key.

There are some nice packages that offer just that. You have to decide if those fit your ammo.

  • The psecio/secure_dotenv library provides an easy way to handle the encryption and decryption of the information in your .envfile. @Github
  • johnathanmiller/secure-env-php – Env encryption and decryption library. Prevent committing and exposing vulnerable plain-text environment variables in production environments. The lib provides a nice guided interface to encrypt your .env file. @Github
  • beyondcode/laravel-credential – Add encrypted credentials to your Laravel production environment. You can edit and encrypt using php artisan credentials:edit. @Github

Apache Pull – setting environment variables

The Apache2 environment variables are set in the /etc/apache2/envvars file. These variables are not the same as the environment variables of your Linux system; they are stored and manipulated in an internal Apache structure.

The /etc/apache2/envvars file holds variable definitions such as APACHE_LOG_DIR (the location of Apache log files), APACHE_PID_FILE (the Apache process ID), APACHE_RUN_USERS (the user that run Apache, by defaultwww-data), etc.

You can open and modify this file in a text editor of your choice. This is nice, but far from simple and requires a server restart. This is something which helps you when hardening security on a live deployed setup.

There are dynamic approaches, but you can do some research for that yourself :) Skipped that rabbit hole for now …

Infrastructure Secret Management

Handling secrets completely detached is another possibility. This is surely an overkill for most cases, but using an Infrastructure Secret Management concept might be worth looking into, if you are working on bigger scale projects that involve multiple development teams and setups. These services also often deal with secret rotation.

HashiCorp Vault – „Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.“

You can deploy your own vault on your own infrastructure or test out a hosted version, which is free for Open Source projects. HashiCorp Vault

You will find a bunch of Hashicorp related packages that will help you to integrate a vault into your project workflow (scmrus/php-vault-env , poc-webapp-vault).

While this is nice, you will need to cache / store credentials somewhere, as you don’t want to query the vault on every single access.

The Hashicorp Vault is not the only Infrastructure Secret Management solution. There is a nice Github Gist that lists other solutions and a nice feature matrix.

Amazon also provides a solution called AWS Secrets Manager, which makes a lot of sense, when you build and deploy on AWS already :)

What a rabbit hole, once you start researching solutions :)
Have fun …

readmore

Gatsby is a free and open source framework based on React that helps developers build blazing fast websites and apps.

What they have to say

  • Go Beyond Static Websites. Get all the benefits of static websites with none of the limitations. Gatsby sites are fully functional React apps so you can create high-quality, dynamic web apps, from blogs to e-commerce sites to user dashboards.
  • Use a Modern Stack for Every Site. No matter where the data comes from, Gatsby sites are built using React and GraphQL. Build a uniform workflow for you and your team, regardless of whether the data is coming from the same backend.
  • Load Data From Anywhere. Gatsby pulls in data from any data source, whether it’s Markdown files, a headless CMS like Contentful or WordPress, or a REST or GraphQL API. Use source plugins to load your data, then develop using Gatsby’s uniform GraphQL interface.
  • Performance Is Baked In. Ace your performance audits by default. Gatsby automates code splitting, image optimization, inlining critical styles, lazy-loading, and prefetching resources, and more to ensure your site is fast — no manual tuning required.
  • Host at Scale for Pennies. Gatsby sites don’t require servers so you can host your entire site on a CDN for a fraction of the cost of a server-rendered site. Many Gatsby sites can be hosted entirely free on services like GitHub Pages and Netlify.

What I have to say …

While researching some popular static site generation tools, GatsbyJS comes up often. I have played with NuxtJS and Hugo in the past, but what I REALLY like about GatsbyJS is the plugin / modular system. You can build your website with plain-old React and CSS styles, but make your development more efficient by adding node_modules.

Also being able to import any data source with ease, using GraphQL, is amazing. And when it comes to content management, you can easily hook a headless WordPress or Drupal setup into the mix and consume their REST APIs :)

I am not switching my own website to GatsbyJS anytime soon, but its another tool in my toolbox for future project consideration !

There are many tutorials on Youtube about getting started, maybe something to consider for the next freetime testdrive ;) Enjoy …

GatsbyJS @ Github

readmore

Manet is a REST API server which allows capturing screenshots of websites using various parameters.

The Node.js server can use SlimerJS or PhantomJS as headless browser engines.

I have build similar with CasperJS, but this is far better for those that want a simple straight solution.

@GitHub

readmore

Rocket.Chat is am impressive Open Source Web Chat Platform, with a huge amount of features:

  • BYOS (bring your own server)
  • Multiple Rooms
  • Direct Messages
  • Private Groups
  • Public Channels
  • Desktop Notifications
  • Mentions
  • Avatars
  • Markdown
  • Emojis
  • Custom Emojis
  • Reactions
  • One touch Geolocation
  • TeX Math Rendering – inline math typesetting
  • Media Embeds
  • Link Previews
  • Sent Message Edit and Deletion
  • Transcripts / History
  • File Upload / Sharing
  • Scalable file sharing – S3 uploads with CDN downloads
  • Full text search
  • Live chat / Messaging call center
  • LDAP Authentication
  • CAS 1.0, 2.0 support for education institutions and hosting providers worldwide
  • Support for Okta SSO through SAML v2
  • I18n – Supports 22 Languages
  • Hubot Friendly
  • (Beta) Face to Face Video Conferencing (aka WebRTC )
  • (Beta) Multi-users Video Group Chat
  • (Beta) Jitsi integration
  • Audio calls
  • Multi-users Audio Conference
  • Screensharing
  • ….. more

Rocket.Chat

readmore

  1. Simple – Create expresive interactive bots without dealing with the low level details.
  2. Event Based – Our event based system allows to easily chain and combine actions together.
  3. Flexible – Use Components from the Ecosystem to add additional capabilities to your bot.
  4. Familiar – Built ontop of proven technolgies Node.js, Javascript and Express.js

Clients: Facebook Messenger, Twillio, Twitter, WebSocket :)

Bottr@Github

readmore

Manet is a REST API server which allows capturing screenshots of websites using various parameters. It is a good way to make sure that your websites are responsive or to make thumbnails.

GitHub

readmore

A Real Time Chat Application built using Node.js, Express, Mongoose, Socket.io, Passport, & Redis.

  • Uses Express as the application Framework.
  • Manages Sessions using express-session package.
  • Authenticates via username and password using Passport.
  • Passwords are hashed using bcrypt-nodejs package.
  • Social Authentication via Facebook and Twitter using Passport.
  • Real-time communication between a client and a server using Socket.io.
  • Uses MongoDB, Mongoose and MongoLab(mLab) for storing and querying data.
  • Stores session in a MongoDB using connect-mongo; a MongoDB-based session store.
  • Uses Redis as an Adapter for Socket.io.
  • Logging Errors and Exceptions using Winston.

Chat.IO

readmore

iFramely offers a hosted and open source solution to serve your own HTTP API for responsive web embeds using Node.js.

„The API covers well over 1800 domains through 200 custom domain plugins and generic parsers for oEmbed, Open Graph and Twitter Cards…“

iFramely
How To host your own

readmore

Log.io provides real-time log monitoring in your browser (node.js + socket.io).

„Harvesters watch log files for changes, send new log messages to the server via TCP, which broadcasts to web clients via socket.io.

Log streams are defined by mapping file paths to a stream name in harvester configuration.

Users browse streams and nodes in the web UI, and activate (stream, node) pairs to view and search log messages in screen widgets.“

GitHub

readmore

It does not have to be Slack all the time. Sometimes a self hosted open solution, is far more suited for the task ahead.

Let’s Chat is a persistent messaging application that runs on Node.js and MongoDB. It’s designed to be easily deployable and fits well with small, intimate teams.“

  • BYOS (bring your own server)
  • Persistent messages
  • Multiple rooms
  • Private and password-protected rooms
  • New message alerts / notifications
  • Mentions (hey @you/@all)
  • Image embeds / Giphy search
  • Code pasting
  • File uploads (Local / Amazon S3 / Azure)
  • Transcripts / Chat History (with search)
  • XMPP Multi-user chat (MUC)
  • 1-to-1 chat between XMPP users
  • Local / Kerberos / LDAP authentication
  • Hubot Adapter
  • REST-like API
  • Basic i18n support
  • MIT Licensed

GitHub

readmore