ANGM AngularJS Yeoman Generator

AngularJS Yeoman Generator to help you getting started with a new project based on AngularJS/Angular Material or Bootstrap to build large scale applications.

Please find the below links to generate Angm yeoman generator in AngularJS,

https://github.com/newaeonweb/generator-angm#readme

 

Advertisements

Adding an existing project to GitHub using the command line

Putting your existing work on GitHub can let you share and collaborate in lots of great ways.

If you are migrating your project from CodePlex, read the migration guide for more information.

  1. Create a new repository on GitHub. To avoid errors, do not initialize the new repository with README, license, or gitignore files. You can add these files after your project has been pushed to GitHub.
  2. Open Terminal.
  3. Change the current working directory to your local project.
  4. Initialize the local directory as a Git repository.
    git init
    
  5. Add the files in your new local repository. This stages them for the first commit.
    git add .
    # Adds the files in the local repository and stages them for commit. To unstage a file, use 'git reset HEAD YOUR-FILE'.
    
  6. Commit the files that you’ve staged in your local repository.
    git commit -m "First commit"
    # Commits the tracked changes and prepares them to be pushed to a remote repository. To remove this commit and modify the file, use 'git reset --soft HEAD~1' and commit and add the file again.
    
  7. Copy remote repository URL fieldAt the top of your GitHub repository’s Quick Setup page, click  to copy the remote repository URL.
  8. In Terminal, add the URL for the remote repository where your local repository will be pushed.
    git remote add origin remote repository URL
    # Sets the new remote
    git remote -v
    # Verifies the new remote URL
    
  9. Push the changes in your local repository to GitHub.
    git push origin master
    # Pushes the changes in your local repository up to the remote repository you specified as the origin

    Link:-

    https://help.github.com/articles/adding-an-existing-project-to-github-using-the-command-line/

How to create add Subdomain in GoDaddy and Azure

How to create add Subdomain in GoDaddy and Azure

1. Login in to GoDaddy and create a CNAME record,
Note:-
HOST – should be your subdomain.
POINTS TO – should be your azure link, which is generated by azure for the web applications.

2. Login in to Azure and click the particular web applicaion and click “Custom Domains”

and click the “Add HostName” Button

3. Enter your subdomain name with main domain name.
Note:-
Subdomain – freshworks
Maindomain – freshgrc.com, which is bought from GoDaddy and under this main domain, we add many subdomain.

4. Click the “Validate” button, Once you clicked after some time Host/Domain availability should be green tick mark.

5. Click the “Add Host Name” button and it will automatically add to your subdomain

Security Testing for Web Applications

Security Testing:-

CSRF:-

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request

1. Preventing CSRF requires three things:

1.1 Make sure your forms use POST(Already done)

1.2 Make sure your site is not vulnerable to XSS(Need to do)

1.3 Make your forms use a CSRF key(Already done)

I agree with the other two; this could be done on the browser-side, but would make impossible to perform authorized cross-site requests. Anyways, a CSRF protection layer could be added quite easily on the application side (and, maybe, even on the webserver-side, in order to avoid making changes to pre-existing applications) using something like this:

A cookie is set to a random value, known only by server (and, of course, the client receiving it, but not a 3rd party server)

Each POST form must contain a hidden field whose value must be the same of the cookie. If not, form submission must be prevented and a 403 page returned to the user.

https://codeutopia.net/blog/2008/10/16/how-to-csrf-protect-all-your-forms/

CSRF, or Cross-Site Request Forgery, is a vulnerability very common in websites. In short, it means that if you have your site at foo.com, and an attacker at badguy.com can display a form similar to one of your site’s, and make users on his site submit the forms on your site, possibly without their knowledge.

https://codeutopia.net/blog/2007/09/25/preventing-cross-site-scripting-attacks/

For example, if your blog comment box allows users to write JavaScript snippets that aren’t escaped in any way by the server and are ran, it’s most likely vulnerable to an XSS attack.

Solution:-

Convert special characters to HTML entities

http://damon.ghost.io/killing-cors-preflight-requests-on-a-react-spa/

X-Frame-Options

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

clickjacking attack:-

In some websites, we see some adds in iframe right.

An attacker can make use of iframe to trick the user to get into some malicious page.

design of the iframe may look genuine but he would be tricking the user to go into a malicious page or a site.

To check this issue

Link:-

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

https://geekflare.com/add-x-frame-options-nginx/

https://laracasts.com/discuss/channels/forge/how-to-configure-nginx-to-send-x-frame-options-header-as-a-forge-recipe

There are three possible directives for X-Frame-Options:-

X-Frame-Options: DENY

X-Frame-Options: SAMEORIGIN

X-Frame-Options: ALLOW-FROM https://example.com/

Content Security Policy:-

Is an W3C specification offering the possbility to instruct the client browser from which location and/or which type of resources are allowed to be loaded. To define a loading behavior, the CSP specification use “directive” where a directive defines a loading behavior for a target resource type.

Directives can be specified using HTTP response header (a server may send more than one CSP HTTP header field with a given resource representation and a server may send different CSP header field values with different representations of the same resource or with different resources) or HTML Meta tag, the HTTP headers below are defined by the specs:

  • Content-Security-Policy : Defined by W3C Specs as standard header, used by Chrome version 25 and later, Firefox version 23 and later, Opera version 19 and later.
  • X-Content-Security-Policy : Used by Firefox until version 23, and Internet Explorer version 10 (which partially implements Content Security Policy).
  • X-WebKit-CSP : Used by Chrome until version 25


More Details:-

Link:-
https://www.owasp.org/index.php/Content_Security_Policy

Configure your web server to include an X-Frame-Options header. Consult Web references for more information about the possible values for this header:-

Note:-

https://www.owasp.org/index.php/Content_Security_Policy

https://content-security-policy.com/

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

https://developers.google.com/web/fundamentals/security/csp/ (Use case #3: SSL only)

/etc/nginx/sites-available/default:- Only Specified Domain and Sub Domain Restriction

server {

listen 80;

listen [::]:80;

#add_header Content-Security-Policy “default-src ‘self’; ‘grc4smb.com’; ‘*.grc4smb.com’ ;”;

add_header Content-Security-Policy “default-src http:; script-src http: ‘unsafe-inline’; style-src http: ‘unsafe-inline'”;

add_header X-Content-Security-Policy “default-src http:; script-src http: ‘unsafe-inline’; style-src http: ‘unsafe-inline'”;

add_header X-WebKit-CSP “default-src http:; script-src http: ‘unsafe-inline’; style-src http: ‘unsafe-inline'”;

}

Only Specified Url Restriction:- sudo vim /etc/nginx/sites-available/default

server {

listen 80;

listen [::]:80;

#add_header Content-Security-Policy “default-src ‘self’; ‘grc4smb.com’; ‘*.grc4smb.com’ ;”;

add_header Content-Security-Policy “connect-src http://grc4smb.com http://*.grc4smb.com http://fixnix-freshgrc4531.cloudapp.net&#8221;;

add_header X-Content-Security-Policy “connect-src http://grc4smb.com http://*.grc4smb.com http://fixnix-freshgrc4531.cloudapp.net&#8221;;

add_header X-WebKit-CSP “connect-src http://grc4smb.com http://*.grc4smb.com http://fixnix-freshgrc4531.cloudapp.net&#8221;;

add_header X-XSS-Protection “1; mode=block”;

Apply the following changes to the web.config file to prevent ASP.NET version disclosure:-

1. https://www.debian-tutorials.com/how-to-customize-server-header-using-nginx-headers-more-module

Install thenginx-extraspackages like this:

sudo
apt-get
install nginx-extras

/etc/nginx/nginx.conf

http {

##

# Basic Settings

##

sendfile on;

tcp_nopush on;

tcp_nodelay on;

keepalive_timeout 65;

types_hash_max_size 2048;

server_tokens off;

#more_clear_headers grc4smb.com;

more_clear_headers “Content-Type: “;

more_clear_headers “Accept-Ranges: “;

more_clear_headers “Content-Length: “;

more_clear_headers “server”;

more_clear_headers “ETag”;

more_clear_headers “Date”

more_clear_headers “Last-Modified”;

more_clear_headers “Connection”;

https://geekflare.com/nginx-webserver-security-hardening-guide/

It’s recommended to disable OPTIONS Method on the web server:-

Allow: OPTIONS, TRACE, GET, HEAD, POST

https://geekflare.com/nginx-webserver-security-hardening-guide/

Web Application Security

Default nginx configuration is not perfect and can have many vulnerabilities that’s why we harden them to make it secure.

Disable unwanted HTTP methods

Most of the time, you need just GET, HEAD & POST HTTP request in your web application. Allowing TRACE or DELETE is risky as it can allow Cross-Site Tracking attack and potentially allow hacker to steal the cookie information.

  • Modify default.conf and add following under server block

/etc/nginx/sites-available/default

if ($request_method !~ ^(GET|HEAD|POST)$ )
{
return 405;
}

Remove or restrict access to all configuration files acessible from internet:-

sudo chmod 400 Gruntfile.js

Restrict access to this directory or remove it from the website:-

drwxrwxr-x 4 freshgrcdomainfront freshgrcdomainfront 4096 Aug 9 10:52 src

sudo chmod 445 src/

dr-x—— 4 freshgrcdomainfront freshgrcdomainfront 4096 Aug 9 10:52 src

Investigate if it’s possible to reduce the response time for this page:-

GET /src/bower_components/angular-material/angular-material.js

How to deploy angular application in azure virtual machine

How to deploy angular application in azure virtual machine

NodeJs:-
https://tecadmin.net/install-latest-nodejs-npm-on-ubuntu/

Nginx:-
https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-16-04

Virtual Machine Configuration:-
https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-server-blocks-virtual-hosts-on-ubuntu-16-04

SSL using Let’s Encrypt:-
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

How to install Nginx:-

Installing the all updates in ubuntu debian version

$
sudo apt-get update

Installing the Nginx web server, please follow the below command


$ sudo apt-get install nginx

Adjust the Firewall


We can list the applications configurations that 
ufw knows how to work with by typing:

$ sudo ufw app list

Firewall should be enable,

$ sudo ufw status (sudo ufw enable/disable)

How To Set Up Nginx Server Blocks (Virtual Hosts) on Ubuntu 16.04

Set Up New Document Root Directories


$ sudo mkdir -p /var/www/
example.com/html

We can use the $USER
environmental variable to assign ownership to the account that we are currently signed in on (make sure you’re not logged in as root). This will allow us to easily create or edit the content in this directory:

$ sudo chown -R $USER:$USER /var/www/example.com/html

The permissions of our web roots should be correct already if you have not modified your umask
value, but we can make sure by typing:

sudo chmod -R 755 /var/www

Create Sample Pages for Each Site


Now that we have our directory structure set up, let’s create a default page for each of our sites so that we will have something to display.

Create an index.html
file in your first domain:

$ nano /var/www/example.com/html/index.html

<html>

    <head>         <title>Welcome to Example.com!</title>     </head>     <body>         <h1>Success!  The example.com server block is working!</h1>     </body> </html>

Save and close the file when you are finished.


Create the First Server Block File

As mentioned above, we will create our first server block config file by copying over the default file:
$ sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/example.com

Now, open the new file you created in your text editor with sudo privileges:
$
sudo nano /etc/nginx/sites-available/example.com
Change the below,

listen
80 default_server;

        listen [::]:80 default_server;

to

listen
80;

        listen [::]:80;


and also set the root element,

root
/var/www/
example.com/html;


and set the server name too,
server_name
example.com
www.
example.com;

Enable your Server Blocks and Restart Nginx

Now that we have our server block files, we need to enable them. We can do this by creating symbolic links from these files to the sites-enabled directory, which Nginx reads from during startup.

We can create these links by typing:

$ sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
These files are now in the enabled directory. We now have three server blocks enabled, which are configured to respond based on their listen
directive and the server_name
(you can read more about how Nginx processes these directives here):

  • example.com: Will respond to requests for example.com
    and http://www.example.com
  • test.com: Will respond to requests for test.com
    and http://www.test.com
  • default: Will respond to any requests on port 80 that do not match the other two blocks.


$ sudo nano /etc/nginx/nginx.conf
Within the file, find the server_names_hash_bucket_size
directive. Remove the #
symbol to uncomment the line:

http
{

    . . .     server_names_hash_bucket_size 64;     . . . }

Next, test to make sure that there are no syntax errors in any of your Nginx files:

$ sudo nginx -t

If no problems were found, restart Nginx to enable your changes:

$ sudo systemctl restart nginx

Test your Results
Now that you are all set up, you should test that your server blocks are functioning correctly. You can do that by visiting the domains in your web browser:

http://example.com

You should see a page that looks like this:


How To Secure Nginx with Let’s Encrypt on Ubuntu 16.04

Installing Certbot

The first step to using Let’s Encrypt to obtain an SSL certificate is to install the certbot
software on your server. The Certbot developers maintain their own Ubuntu software repository with up-to-date versions of the software. Because Certbot is in such active development it’s worth using this repository to install a newer Certbot than provided by Ubuntu.

First, add the repository:

$ sudo add-apt-repository ppa:certbot/certbot

You’ll need to press ENTER
to accept. Afterwards, update the package list to pick up the new repository’s package information:
$ sudo apt-get update
And finally, install Certbot with apt-get:
$ sudo apt-get install python-certbot-nginx

Updating the Firewall

If you have the ufw
firewall enabled, as recommended by the prerequisite guides, you’ll need to adjust the settings to allow for HTTPS traffic. Luckily, Nginx registers a few profiles with ufw
upon installation.

You can see the current setting by typing:

$ sudo ufw status

To additionally let in HTTPS traffic, we can allow the “Nginx Full” profile and then delete the redundant “Nginx HTTP” profile allowance:

$ sudo ufw allow ‘Nginx Full’

$ sudo ufw delete allow ‘Nginx HTTP’

Your status should look like this now:

sudo ufw status (Status should be active)

Obtaining an SSL Certificate

Certbot provides a variety of ways to obtain SSL certificates, through various plugins. The Nginx plugin will take care of reconfiguring Nginx and reloading the config whenever necessary:
$ sudo certbot –nginx -d
example.com -d www.example.com

If you have no errors, reload Nginx:
$ sudo systemctl reload nginx

Setting Up Auto Renewal

$ sudo crontab -e

15
3 * * * /usr/bin/certbot renew --quiet

The 15
3 * * *

part of this line means “run the following command at 3:15 am, every day”. You may choose any time.

The renew
command for Certbot will check all certificates installed on the system and update any that are set to expire in less than thirty days. --quiet
tells Certbot not to output information or wait for user input.

Cron
will now run this command daily. All installed certificates will be automatically renewed and reloaded when they have thirty days or less before they expire.

 

How to launch a sub domain with Let’s Encrypt SSL in AngularJs/GoDaddy:-

How to launch a sub domain in AngularJs/GoDaddy:-

1. First you have add sudomain ownership in GoDaddy,

Add a ‘A’ record in GoDaddy with Host as ‘*’,

2. Next you need to change the starting page of AngularJs in app.config.js

Whatever mention in “.otherwise(‘/domainname’);”, this should starting page of AngularJs.
3. Next need to change to domainCtrl.js file,

window.location= “http://”+vm.company_name+&#8221;.localhost:4000/#!/login”;

4. In SessionController.rb need to change the following code,

def login

@user = Authenticator.user?(params[:email], params[:password])

if @user

if @user.company_admin.nil?

subdomain = @user.company.sub_domain

else

subdomain = @user.company_admin.company.sub_domain

end

subdomain = ”

subdomain = @user.get_company.sub_domain if @user

val = request.headers[‘HTTP_REFERER’]

sub_domain = ”

unless val.index(“.”).nil?

start_index = val.index(“//”)+2

end_index = val.index(“.”)-1

sub_domain = val[start_index..end_index]

end

if @user && subdomain == sub_domain

update_tracked_fields(@user)

else

render json: { message: ‘Invalid email/password/sub_domain’, status: 401 }, status: 401

end

=begin if @user

update_tracked_fields(@user)

else

render json: { message: ‘Invalid email/password/sub_domain’, status: 401 }, status: 401

end

=end

else

render json: { message: ‘Invalid email/password/sub_domain’, status: 401 }, status: 401

end

end

5. How to add let’s encrypt certicate with subdomain also,

How to Add/Import SSH Private Key in FileZilla ( for SFTP )

FileZilla is most popular ftp client used by users for connecting ftp server from local system. It has lots of feature to use remote server. But most the them doesn’t have more idea to how to connect sftp using filezilla.

If you don’t want to use password, you can simply use SSH private key with filezilla to authenticate on key basis. This article will help you to How to import private key in filezilla for sftp access.

Download FileZilla Clientclick here to download filezilla client

Requirement:

FileZilla Client: You must have filezilla client installed on your system.
SSH Private Key: You must have ssh private key to attach with filezilla client.

Step 1: Start Filezilla

I hope you better know to how to start filezilla on your system. We can start filezilla using shortcut or through program files or command line.

Step 2: Add Key in Filezilla

Follow the given below screenshots to add primary key in filezilla.

2.1 Go to Edit Menu and Click on Settings Submenu.

FileZilla-Add-Key-1

2.2 Select SFTP under Connection and click Add key file.

FileZilla-Add-Key-2

2.3 Select private key file. You Key file will be added in List. Now Just click OK.

FileZilla-Add-Key-3

Some times filezilla prompt to convert key in case provided key is not in correct format which filezilla used. Feel free to convert file and save with some other name.

Step 3: Connect to SFTP Server

Enter the detail of Host, Username and Port ( if not using default ) and click on Quickconnect.Filezilla-SFTP-Connect
Please follow the below link to  add ssh key in filezilla,
https://tecadmin.net/import-private-key-in-filezilla/