Block website during maintenance except for testers - redirect

I would like to block the access to my website while I make changes to it. But I want some selected people and myself to have access to do tests. I found this method which is good (http://25yearsofprogramming.com/blog/20070704.htm), except for the fact it is based on ip addresses (I don't know the ips of everyone and can't ask).
How can I do the following:
- redirect all urls to a page like maintenance.php
- on that page, there is a form that people can use to enter a code
- if the code is valid, the redirection stops and they have access to the website normally
Thanks

If you dont want to use ip addresses you can setup htaccess with passwords for the your testers and everybody else will be redirected.
This site can help you with that: http://tools.dynamicdrive.com/password/

Related

Are URLs in emails indexed by search engines so they become publicly searchable?

I have read a few questions on here about e-mail clients prefetching URLs in e-mails. An answer to this seems to be to add a new confirmation page, where the user has to click a button to confirm the desired action.
But, this answer states the following:
As of Feb 2017 Outlook (https://outlook.live.com/) scans emails
arriving in your inbox and it sends all found URLs to Bing, to be
indexed by Bing crawler.
This effectively makes all one-time use links like
login/pass-reset/etc useless.
(Users of my service were complaining that one-time login links don't
work for some of them and it appeared that BingPreview/1.0b is hitting
the URL before the user even opens the inbox)
Drupal seems to be experiencing the same problem:
https://www.drupal.org/node/2828034
My major concern is with this statement:
As of Feb 2017 Outlook (https://outlook.live.com/) scans emails
arriving in your inbox and it sends all found URLs to Bing, to be
indexed by Bing crawler.
If this is the case, any URL in an e-mail meant to confirm an action, e.g. confirming a login, subscription, or unsubscription, can end up searchable in a search engine, if that's whats meant by indexed in the quote above. In this case, it's Bing. Not even a dedicated confirmation page where the user confirms the desired action truly mitigates this.
Scenario #1
If I email the user a login link with a one-time token in the URL, that URL will end up in Bing. This token will have a short lifetime, lets say 5 minutes, so I doubt anyone will manage to search on Bing and find the URL before the user clicks it or it expires.
Scenario #2
The user gets an e-mail with a link to confirm a subscription. This link is perhaps valid for 24 hours. This might(?) be long enough for someone else to stumble over the link on a search engine and accidentally (or on purpose) confirm the subscription on behalf of the user.
Scenario #2 is not uncommon, it's even best practice to use double opt-in as far as I am aware.
Scenario #3
Unsubscribe URLs in the bottom of newsletters. Maybe valid for forever? You don't want this publicly searchable in an search engine.
Assume all the one-time confirmation links land on a confirmation page where the user confirms the desired action.
Is it truly the issue that URLs in e-mails are indexed by search engines, at least Bing? And will they actually end up publicly searchable? If not, what is meant by indexed in the quote above?
I'll add for the sake of completion that I don't think I've had much of a problem with this in my own use of the web, so my gut feeling is that this is unlikely the case.
Is it truly the issue that URLs in e-mails are indexed by search engines, at least Bing?
I can't definitely say if they are being indexed or not, only Bing could answer this question, but they are surely being visited, at least with a simple GET request. I just tested this sending myself a link to a page on my website that logs the requests that are made against it, and indeed I'm seeing a GET coming from 207.46.13.181 (reverse DNS says msnbot-207-46-13-181.search.msn.com), which suggests that an automated program from search.msn.com is crawling the link. This leads me to believe that yes, they are trying to index the link's content somehow, but it's only my opinion really.
And will they actually end up publicly searchable? If not, what is meant by "indexed" in the quote above?
Well, again, impossible to say unless you work for Bing. In any case, "indexing" means exactly what you think it does: parsing the content of a page to potentially include it in search results.
The real question here is: does this somehow represent a security problem or will it compromise my website's functionality?
It surely has the potential to: if your confirmation/reset/subscription/whatever process only relies on a single GET request with the appropriate GET parameter, then you should definitely revisit the strategy, as it obviously allows anyone to perform the action (even maliciously for example enumerating possible IDs for your GET parameters).
If the link you are trying to send contains sensible information or can be used to alter important data for an user of your website, then you should at least put it behind a login page only giving access to the interested user. This way, anyone who wants to access it (including search engines) will be redirected to a login page if not already logged in.
If the link you are trying to send is just some kind of harmless confirmation link (e.g. subscribe/unsubscribe from a newsletter), then at least use a form inside the web page to do the actual confirmation through a POST request (possibly also using a CSRF token), otherwise you will unequivocally end up with false positives.

Do we still need to use "having trouble with this link/button" copiable URLs in emails?

Every here and there we see an email with a cool CTA button or a handy link in the middle of the copy, but shortly after it there's the full URL (usually ugly), in case "you have trouble clicking the link above".
Is that still a thing nowadays?
Are there (which ones?) email clients that completely disable HTML links, forcing the user to copy and paste the said URL in their browser?
Example:
<p>Bla bla email copy</p>
Click here!
<em>(if you have trouble with this button, copy and paste this URL: http://example.com)</em>
PS: I'm not talking about text/plain emails here, obviously they'll have their own way to present URLs :)
I guess this is more of a business question, usually for a business is really important that the user get the information it's requesting. May it be a password recovery, registration link or any other that may have an impact on active users at the system. Those emails are likely to be automated and the user can't ask for help if the link doesn't work.
Regarding the email clients, that goes beyond it, there are some anti spam/virus like MailScanner that can replace/break a hidden link if it finds that maybe harmful or try to obfuscate the real link. (Usually when not proper configured or when it finds a real phishing etc...)
But like I said, how important is to your business,that this user can access the right link? (via button, hard code link or whatever)
Hope that helps! =]

301 Redirect with limited access to site

I've recently developed a new website for a local charity that organises an annual sporting event. With the event coming up in a few weeks we approached the previous/existing 'dev' company to either redirect the domain to the new site/server or transfer the domain to us.
This other 'company' is refusing to do anything, simply because they want to force the charity to stay with them, so that they get good local publicity.
So, we've purchased a new domain for the site but need to redirect the old site to the new one. Unfortunately the system the old web company uses is very poor and cumbersome. It also only give us access to files which form the content of a given page. It doesn't however give us any access to the site template / style elements of the site, nor does it give us access to things like .htacess file(s).
So, at the moment the best I've come up with is using the existing systems single input for the site description, to force in a meta refresh that will bump users over to the new domain/site. However, this isn't going to result in a permanent 301 redirect for users or search engines.
As such, I'm desperately hoping to come up with a way to force a 301 for all pages without directly accessing every page content file and manually adding in some sort of redirect.
Due to some crappy sitewide one size fits all unescaped metatag implementation, I was able to inject an additional metatag with a redirect to the new domain.

Google apps - Naked alias redir

I've www.somedomain.com.uy and somedomain.com.uy. Because i use google apps for this domain on my google app panel, i've setup a naked redir from somedomain.com.uy to www.
So, what i currently have is on Domains tabs are:
somedomain.com.uy (primary domain). With the naked redirect set to www.somedomain.com.uy
somdomain.uy. (alias domain)
On my google app panel, i went to Add domain, and added www.somedomain.uy to my app.
As i result of all this, i can access this application from:
somedomain.com.uy
www.somedomain.com.uy
www.somedomain.uy
As i said, im not able to access just using the plain and simple: somedomain.uy: Trying this results on: 404. That’s an error. (the google message).
I can't find a way to fix this and my question is: is there a way to setup a naked domain redirection to an alias domain? Or any other ideas about how can i make it work?
Thanks for reading, and excuse my simple english.

Google Analytics - can it collect form data?

Simple scenario:
I have a signup form, with user name, password, email address, may be credit card number.
At the bottom of the page, I implement the Google Analytics code.
when user clicks submit, it goes to a page wihtout google analytics.
question is..
can GA get the data (user naem, password..email..etc) in the first form after user input the data?
Do they say anything about it in their TOS or Privacy policy?
Yes. Any <script> you include in the page has complete access to alter the user's interaction with the site due to the Same Origin Policy. Google, if they were feeling Evil today, could certainly rewrite the action of your <form> to point to themselves, or log every keypress, or create an <iframe> containing another page on your site and simulate the user clicking on any action in that page.
Do not include <script> on any page from a party you don't completely trust with the security of everything on your site. Even a single tracking or advertiser script on any page compromises everything on the same hostname (and maybe other subdomains if you are setting window.domain to allow cross-hostname-scripting, or sharing cookies between hostnames).
However, the Analytics script doesn't currently do any of these things and the form submission will not flow to Google as a matter of course; they would have to deliberately act to steal the data. Clearly it would be disastrous for them to be discovered doing it, so they presumably won't. But technically, they could. It always pains me to see third-party ad and tracking scripts on bank sites.
UPDATE: The landscape has changed quite a bit over the years since my original answer below was written: the scripts are now generally served (or at least have the option to be fetched) over HTTPS, so those scripts should be secure against the trivial man-in-the-middle attacks. However, you are still trusting the script source not to do malicious stuff in your page, since they still get to fully control what happens on your web page.
Original answer:
Yes. I recommend against putting any third party script on sensitive pages secured by SSL. It's not likely that Google is going to hijack sensitive data on your page but you should take into account the possibility that a malicious ISP can hijack the request (say, using DNS) to Google Analytics script and do whatever it wants on your page.