gozilla/notes.txt at master · votezilla/gozilla · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
Great article on writing demographic questions!: https://www.surveygizmo.com/survey-blog/how-to-write-better-demographic-questions/
Pew Research:                                  http://www.pewresearch.org/files/2015/03/Demographic-Questions-Web-and-Mail-English-3-20-2015.pdf


// How to show a hidden image when an anchor is hovered over.

display none after hoverJavascript By Depressed Duck on Feb 24 2020
$('.info').hover(function() {
    $(this).fadeTo(1,1);
},function() {
    $(this).fadeTo(1,0);
});
Source:stackoverflow.com
0
hover over something to make html visibleHtml By Combative Camel on Mar 24 2020
div {
    display: none;
}

a:hover + div {
    display: block;
}


// Install WLT
// Install Docker on Ubuntu 16
https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-16-04

// Fix for "gpg: can't connect to the agent: IPC connect call failed"
sudo apt remove gpg && sudo apt-get update -y && sudo apt-get install -y gnupg1


=======================================================================
==                                                                   ==
==                          SECURITY NOTES                           ==
==                                                                   ==
=======================================================================

Form Validation:
Probably won't do this, but cool
zip code regex: [0-9]{5}
Country code: <input type="text" name="country_code" pattern="[A-Za-z]{3}" title="Three letter country code">


Idea:
can use frame within div for swooshing login pop-ups

Preventing XSRF:

OK KEEP IT SIMPLE:
*) ?: this can be simplified by just using the secure cookie, no Session database at all!
*) onLoseFocus should delete secure cookie, onGainFocus should renew it, via JavaScript:
	http://www.elated.com/articles/javascript-and-cookies/
	https://stackoverflow.com/questions/7389328/detect-if-browser-tab-has-focus
*) Javascript to warn them when they're going to be logged out.
5) Setup HTTPS!!!  (Easy - http://www.kaihag.com/https-and-go/ )
6) Can test XSRF security with two votezillas running on different servers (without HTTPS)
7) I'm not a bot
8) How to secure postgres:
	https://www.digitalocean.com/community/tutorials/how-to-secure-postgresql-on-an-ubuntu-vps

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

Verifying Same Origin with Standard Headers
There are two steps to this check:

Determining the origin the request is coming from (source origin)
Determining the origin the request is going to (target origin)


The Source Origin check recommended here relies on three of these protected headers: Origin, Referer, and Host,
making it a pretty strong CSRF defense all on its own.


To identify the source origin, we recommend using one of these two standard headers that almost all requests include one or both of:

Origin Header
Referer Header


If the Origin header is not present, verify the hostname in the Referer header matches the target origin. Checking the Referer is a commonly used method of preventing CSRF on embedded network devices because it does not require any per-user state. This makes Referer a useful method of CSRF prevention when memory is scarce or server-side state doesn't exist. This method of CSRF mitigation is also commonly used with unauthenticated requests, such as requests made prior to establishing a session state which is required to keep track of a synchronization token.

In both cases, just make sure the target origin check is strong. For example, if your site is "site.com" make sure "site.com.attacker.com" doesn't pass your origin check (i.e., match through the trailing / after the origin to make sure you are matching against the entire origin).


If Origin is missing (i.e. behind a proxy), can use X-Forwarded-Host.


Once you've identified the source origin (from either the Origin or Referer header), and you've determined the target origin, however you choose to do so, then you can simply compare the two values and if they don't match you know you have a cross-origin request.


* Use the session in addition.

=======================================================================
==                                                                   ==
==                          COUNTRY DATA                             ==
==                                                                   ==
=======================================================================
/*
		Countries with cities - all

		List of cities by country: // https://en.wikipedia.org/wiki/Lists_of_cities_by_country

		Countries with states:     // https://en.m.wikipedia.org/wiki/Federated_state

		Countries with Postal Codes: // https://www.ups.com/worldshiphelp/WS16/ENU/AppHelp/Codes/Countries_Territories_Requiring_Postal_Codes.htm
*/