web hosting – What webserver could I use to serve a rotatin set of images–no client-side code

I’d like to server pseudo static files (well… I already am) to be referenced by any type of client using only its URL and have the server pick a different one each time, date/time, or any other arbitrary criteria. The more ridiculous the better but I’ll settle for just having the option.

What webserver could allow such function? The current server I’m using for static files is a premade appliance-type that can use either NGINX or Apache’s httpd on a per-virtual-host basis. Both server software support PHP, probably some other framework too, but most of the virtual hosts are set for httpd without PHP because they’re static files. It does serve S3 buckets (MinIO) so I feel hopeful it’ll work. I’ve also have IIS 10 servers available, also, all traffic goes through HAProxy that injects cache control headers. Against my will, I’ve been collecting a little experience with uWSGI too (I deployed a searx instance recently) so I’m open to anything. 🙂

If I could add some module or something to the existing server that’s be awesome, but I’m OK deploying a new server if need be. My knee-jerk reaction was to create a virtual directory named after the file to server, then modify the index lookup to serve the files I want with .htaccess files or something. I hadn’t even reached the server when I realized there was at least a dozen things wrong with that idea that I came here instead.

BTW–I can make out the syntax of code without and IDE and put two and two together to fix problems on occasion but I’m no programmer, I wouldn’t know how to Hello world! to save my life, please keep it low tech and thanks!

key management – Handling API keys for client-side app with cloud key vault

I would like to hear about the security implications of my desktop app’s current API usage workflow:

  1. Client-side WPF desktop app connects to Azure Key Vault, a cloud vault, by authenticating via a self-signed certificate packaged and distributed with the app’s installer.
  2. Client app retrieves the API key and the key is assigned to a declared runtime object.
  3. Client app uses the key value to make the required GET requests.
  4. Client app closes with Application.Current.Shutdown().

Not well-versed in security myself, but I wondered:

  • Is distributing self-signed certs a risky practice? Ie. others may create a clone app with it
  • Can others potentially hack into the client during runtime and access the key?
  • Potentials for man-in-the-middle attacks to intercept keys when retrieving from vault?

Keen to hear expert thoughts about the above and other ideas.
I can’t think of another way to make the GET request directly from client-side.

javascript – Is XSS by html event injection a problem in this client-side sanitization?

I’m making my own client-side router which dynamically requests html pages from Firebase hosting, and the website uses Cloud Firestore with secure rules. Is there any XSS HTML event js injection danger like so:

<button onClick = "alert('Some harmful stuff is happening')">Click me!</button>

If I implement a client-side sanitizer, and is there any danger in general even if I don’t sanitize incoming pages since all requests are same origin?

roblox – How do I run a client-side script on a game that’s not mine?

I need to run an exploit script, but I won’t get caught, because it’s not for cheating. What’s the best exploit script runner for mac?

The client-side script is:

for i, v in pairs(game:GetDescendants()) do
    if v:IsA("Sound") then
        print(v.SoundId)
    end
end 
game.DescendantAdded:Connect(function(Obj)
    if Obj:IsA("Sound") then
        print(v.SoundId)
    end
end

I need to run it.

How?

Oneplus 6 failing to install personal client-side certificates

I have a rooted Oneplus 6 running Oxygen OS and I am trying to install a personal certificate onto my phone to act as verification for my web server. I have a CA that I use to sign the certificates that are used to authenticate the user. The issue is that when I try to install my personal certificate (via Settings->Security->Encryption->Install from Storage), it does not appear in the ‘User Credidentials’ section and apps don’t have access to it either. It does take me through the ‘enter password’ and ‘name certificate’ gui.

If I try to install it from X-plore file manager, after going through the ‘enter password’ etc. gui, it says ‘Failed to install certificate’ in the bottom of my screen and alas does not appear in my ‘User Credentials’ section. The ‘Failed to install certificate’ doesn’t happen if I try to install it via settings.

I have successfully installed the CA certificate I used to sign my personal certificate on my device using instructions from here and it appears in the ‘Trusted Credentials’ section.

My certificate has a 8192 bit long modulus and I am using android 10.

How can I get my personal certificate to install?
Thanks in advance 🙂

google chrome – SLL issues in chromium browser clientside

So for the last couple of days I’ve been having a strange issue trying to navigate specifically to the Steam Community, in either Google Chrome or in the Steam Client itself.

Right after booting up windows 10 (1903) I can navigate in to the Steam Community just fine in any browser, but after an undermined amount of time, generally watching youtube, browsing and playing games, the steam community will become inaccessible to me due to an SLL.

Originally the error was:

NET::ERR_CERT_COMMON_NAME_INVALID Subject:
4kuhd.sonyentertainmentnetwork.com

Issuer: DigiCert SHA2 Secure Server CA

Expires on: Aug 5, 2020

Current date: May 8, 2020

This is very suspicious to me given that it is listing sony entertainment, to which I have no known associations.

Trying again today however I receive either ERR_SSL_PROTOCOL_ERROR or ERR_CONNECTION_RESET.

Regardless of this all, in Firefox and Edge I can access it just fine.
I have already cleared the SSL state repeatedly, and browsed it to see if I could find the described address, but I could not find any reference to it or steamcommunity.com.

Any idea why this might be happening, especially given that it happens only after a certain period after booting up?

website design – Why do modern websites frequently use client-side JSON blobs and build the web page in client-side JavaScript?

I have noticed something in the past few years. Instead of actually creating an HTML page, such as a data table, on the server and sending the finished HTML page, they now send a "minimum" (in a vast meaning of this word …) web page which executes a JavaScript which in turn loads in JSON blobs which it then analyzes in JavaScript, client side, to build a web page which is finally displayed on the ;user.

A side effect of this, intentional or not, is that it often makes it much easier for me to "recover" their data, since they only "empty" the fields of their internal customer database, even if ; they do not use all the fields themselves. In a way, it's like they're making it easy for people like me to automate things on my websites, when I have to constantly analyze complex, messy, and HTML code constantly evolving.

So even if I hate how silly it is from a logical / user point of view, as well as from a security point of view (depending on various factors), it is actually "good" sort of for me. I do not do it understand , because there is a lot more work on their part and overall extremely strange way of doing things.

Whenever I notice that an HTML page is "empty of content", I always open the network tab in Pale Moon and reload the page, then I see a "JSON" blob that I can to study. It’s weird. Is it almost like they are informally providing an "API" without mentioning it openly, but secretly winking / pushing us "powerusers"?

css – Compiling client-side scss to save on the network

This was first published on StackOverflow but has not received much attention, even with a bonus, so I post here.

I saw this example for an animated star background using css, and I noticed that the compiled css is significantly smaller in this case because the sass generates a thousand stars in a loop.

// n is number of stars required
@function multiple-box-shadow ($n) 
  $value: '#{random(2000)}px #{random(2000)}px #FFF'
  @for $i from 2 through $n
    $value: '#{$value} , #{random(2000)}px #{random(2000)}px #FFF'

  @return unquote($value)

This made me wonder, is it possible to generate said CSS on the client side? Wouldn't the savings on network bandwidth compensate for the (tiny) cost of generating CSS?

I couldn't find an example for such a use case, does compressing network traffic make this irrelevant?

network – Client-side prediction divergence with input packets and time differences | Multiplayer FPS

I'm having a problem implementing client-side prediction in my multiplayer FPS. I am not entirely sure that I fully and correctly understood the concepts. I have read Gambetta and Valve's articles, as well as several others.

What I am currently doing is sending customer feedback in the form of key presses and releases; the client sends when he presses "W", for example, and sends a packet once he has stopped pressing "W". The client then predicts the movement in a completely deterministic way. The server then sends a position of the packets to all clients and the client checks for a discrepancy and corrects it.

I now run into the problem if the time between the incoming packets at the start differs from the time between the incoming packets at the arrival, this will inevitably lead to small errors and massive discrepancies over the time because the server will think that the client has pressed a key for more or less time than it actually has it. I haven't seen anyone mention this, so I wonder if what I'm doing is right.

Another problem I see with this approach is that the client sends rotation updates to the server at 64 Hz (my tick rate). This will, of course, result in small differences in rotation between the server and the client at specific times. Since movement depends on the player's orientation / rotation, client-side prediction errors will inevitably occur.

One way I thought this might solve the first problem, would be to send timestamps with the input packets and have the rewind positions of the server and compensate for inaccuracies in delay. Before continuing, I seek confirmation that what I am doing is right.

Any help would be appreciated! Thank you!

client-side rendering – SharePoint 2013 DataSheet View makes column mandatory

I am currently trying to make a specific column mandatory in SharePoint datasheet mode.
SharePoint default validation at the column or list level is NOT an option.

I already have the code to verify the correct GUID of the view and so on, but I can't find any indication on how to make a specific column mandatory in a specific view.

I would be happy if I could insert the JS later at the Masterpage level, but it would also be nice if it works via js Link.

I have been trying for days now but I can't find the right point ….

I hope it is understandable of what I am trying to do.