Monstrosity links???

This still works, without all the garbage, whats the risk to me?

<script src="https://code.jquery.com/jquery-3.1.1.js"></script>

The risk is that sooner or later browsers will start to give a 'warning; message that the origin of the script cannot be confirmed, and offer the option of blocking the script, (similar to flash).

The safer alternative, and one that is future proof, is to host the script on your own server if possible.

Sure it still works.  But if jQuery CDN is hacked and all the scripts are replaced with malicious code -- even temporarily (it can happen), then you and anyone else who visits your site is potentially at risk for receiving malicious code.

INTEGRITY checks with hashing diminish that risk.

IMO it's negligent not to use it.

Nancy

Nancy OShea wrote: Sure it still works. But if jQuery CDN is hacked and all the scripts are replaced with malicious code -- even temporarily (it can happen), then you and anyone else who visits your site is potentially at risk for receiving malicious code. INTEGRITY checks with hashing diminish that risk. IMO it's negligent not to use it. Nancy

I just loathe all this garbage being injected into the code. That's why I hate stuff like Wordpress, Bootstrap etc etc. I'll house the scripts myself - no-one  is going to hack my sites - it seems the CND hosted script providers now believe, for some reason, there is a good possibility of being hacked so hackers MUST be trying it all the time otherwise they would not have recently introduce this.

it seems the CND hosted script providers now believe, for some reason, there is a good possibility of being hacked so hackers MUST be trying it all the time otherwise they would not have recently introduce this.

Was that not obvious to everyone.

Once something becomes popular, then the chances of hacking increases proportionally. Remember all those wordpress users a few years ago, who said that it could not be hacked, and then it was

pziecina wrote: it seems the CND hosted script providers now believe, for some reason, there is a good possibility of being hacked so hackers MUST be trying it all the time otherwise they would not have recently introduce this. Was that not obvious to everyone.

Yes, which makes linking directly to the CDN hosted scripts less desirable in my opinion, especially if you want to keep your code free of poo, poo.

Cloudflare CDN changed all the email links on my client websites to say email protected and broke them. The image shows what the links looked like on websites and what the code looked like. The clouldflare protection was fighting with the protection I had created myself. When someone first called me to say the links on their website were messed up. I took a look and must have turned white as a sheet, thinking the server had been hacked.

Like it or not, it's the world we live in now.  Hacking attempts are far more prevalent than you may realize.  Even though the sites I run are small potatoes compared to the bigger ones, I have Secure Live monitoring on my dedicated server.  In any given week, I receive between 3-5 hacking attempt warnings.  Sometimes more.  But the system stops them and then blocks their IP.  

Some attacks originate in Russia, some from China and some from the middle east.   It's not limited to any one regions.  So if you think you're immune, think again.    Nobody is immune.  

Nancy

Nancy OShea wrote: Like it or not, it's the world we live in now. Hacking attempts are far more prevalent than you may realize. Even though the sites I run are small potatoes compared to the bigger ones, I have Secure Live monitoring on my dedicated server. In any given week, I receive between 3-5 hacking attempt warnings. Sometimes more. But the system stops them and then blocks their IP. Some attacks originate in Russia, some from China and some from the middle east. It's not limited to any one regions. So if you think you're immune, think again. Nobody is immune. Nancy

Well Ive been doing this for what 12 years now and none of my sites have thus far been hacked......so I'll take my chances. Its like saying I'll wear a bullet proof vest everytime I go out because there is so many terrorists looking to bring you down, but I dont see many people walkng around the supermarket dressed in bomb proof jumpers.........maybe in the US because you guys do tend blow everything out of proportion.

Well Ive been doing this for what 12 years now and none of my sites have thus far been hacked......so I'll take my chances.

Then you should take a look at your server logs some time.

I know that my server is subjected to thousands to attack attempts every day. They are of all kinds. I am very paranoid about security because I am terrified of an attack that I can't solve by myself, and have to pay the server farm staff to resolve.

Rob Hecker2 wrote: Well Ive been doing this for what 12 years now and none of my sites have thus far been hacked......so I'll take my chances. Then you should take a look at your server logs some time. I know that my server is subjected to thousands to attack attempts every day. They are of all kinds. I am very paranoid about security because I am terrified of an attack that I can't solve by myself, and have to pay the server farm staff to resolve.

I dont really have any sites that I cant re-built in a few minutes. I don't have my own servers like you do beacuse I dont want the added worry of them being attacked or going t*ts up. I'm a web developer first and foremost, not a server technician or protector. I would hope that the hosting companies that I use have some kind of protection against attacks, so I'm happy with that.

The only times I was successfully hacked was when I used shared hosting. That was maybe six years ago. I was using network solutions and twice their FTP server was breached. Oh, and at about the same time another client was using Dreamhost and they were hacked two or three times.

Since I've been using a VPS, no problems, but largely because I have paid a lot of attention to server security. Knock on wood!

When my client websites go down, they stop making money, which makes them chase after poor me with pitch forks.

Rob Hecker2 wrote: When my client websites go down, they stop making money, which makes them chase after poor me with pitch forks.

It happens anyway, regardless of being hacked. I had a client hosted with BT (British Telecom) a couple of years ago and the server just went down for a few days...and then was up for a few days and then down again. There's not much anyone can do until a server tech sorts it out (usually based somewhere else in the world) or you jump to another server provider, which also has the potential to go down.

Last year I had another clients website down for a day because they were moved to another server after a redesign only for the hosting company to some how point the domain back to the old server address.

I'm not aware of any hosting company that will guarantee 100% uptime. I make clients aware that there could be potential issues at some point and if it happens I'm not responsible, unless of course its my fault and if it is I bend over backwards to correct it as fast as possible. Because I work freelance it means Im available more so than a company that shuts up shop for the weekend/evening.

But the web is as fickle as anything else - you could jump in your car tomorrow and it doesnt start.

I would hope that the hosting companies that I use have some kind of protection against attacks

Unfortunately, shared web hosting has to be lax about security, otherwise their support staff will be overwhelmed by customers who are locked out or blocked from doing what they want to do.

Also, a lot of the security I focus on is the kinds of stuff that is under your control as a developer, such as controls within CMS admin systems (I don't allow customers to add javascript or anything but simple html and css), strong form validation and sanitation.

Rob Hecker2 wrote: I would hope that the hosting companies that I use have some kind of protection against attacks Unfortunately, shared web hosting has to be lax about security, otherwise their support staff will be overwhelmed by customers who are locked out or blocked from doing what they want to do.

All I can say is I've not experience any hacking issues in the 12 or maybe more years I've been producing websites and Ive used a variety of hosts over that time. Issues with servers unrelated to hacking, yes, plenty. Even if one of my clients sites gets hacked its not a major problem as I can rebuild it in matter of minutes. The kind of clients I have are the ones that mostly don't update the websites themselves even though they have access to a cms to change selected areas of it.

Generally I inform those clients that want to update their own website they need to back-up their own database as I cannot be bothered myself because there is little or no financial return in playing bodyguard in those circumstances. Those clients that let me do the updates I backup their database and so does the web-host. Its always a risk when using technology which can be beyond your control or technology which can be complex, needing an expert to intervene at times.

I prefer to just concentrate on the developing as I have enough on my plate just keeping pace with that. I'm not really interested in the server administration side as I dont understand the inner workings of it and neither do I have any compelling desire to do so.

Personally I would not want to put myself in the situation where I was responsible for the up-keep of a server because things do happen and I would lose too much sleep worrying about it. I dont know if the financial rewards in doing so out-weight that concern.

Personally I would not want to put myself in the situation where I was  responsible for the up-keep of a server because things do happen and I  would lose too much sleep worrying about it. I dont know if the  financial rewards in doing so out-weight that concern.

The financial rewards of managing the server are what allowed me to purchase a Bentley. . . .oh wait; I guess I don't actually own a Bentley.

I admit that sometimes it's a headache and a lot of work. very little of which can be billed to clients. Originally, my reasons for going this route were:

1. It allows one to not have to learn the idiosyncrasies of every podunk webhost admin system  clients might already be using.
2. It allows one to protect code you write from theft and meddling.
3. It allows one to control over server resources such as bandwidth and processing power.

Later, I appreciated the ability to control the server environment, such as the ability to control the PHP configuration, loaded extensions, etc.

Rob Hecker2 wrote: Personally I would not want to put myself in the situation where I was responsible for the up-keep of a server because things do happen and I would lose too much sleep worrying about it. I dont know if the financial rewards in doing so out-weight that concern. The financial rewards of managing the server are what allowed me to purchase a Bentley. . . .oh wait; I guess I don't actually own a Bentley. I admit that sometimes it's a headache and a lot of work. very little of which can be billed to clients. Originally, I had to reasons for going this route: It allows one to not have to learn the idiosyncrasies of every podunk webhost admin system clients might already be using. It allows one to protect code you write from theft and meddling. It allows one to control over server resources such as bandwidth and processing power. Later, I appreciated the ability to control the server environment, such as the ability to control the PHP configuration, loaded extensions, etc.

I think all those points are good points but not enough for me personally to want to take on the responsibily of managing and fixing a webserver if it goes wrong or is hacked.

I have to focus my attentions on areas which I understand and are fully in my control so I can confidentally offer a service to a client without fear of not being able to resolve issues when things go pear shaped.

That's just me, I play safe.

I agree. We each have to focus on certain areas, forgoing others.

That's why I quickly got out of updating website content and moved to a CMS. I really hated updating website content.

Rob Hecker2 wrote: I really hated updating website content.

Me too but that's where I make most of my money, repeat business but it's very boring. I do supply a CMS to edit certain areas but my clients hardly, if ever, take advantage of it. I think it's because the updates I do are really intensive and are bi-annual taking usually 5 or 6 days solid work each time - time my clients just do not have to spare in one session. I guess if they were adding a couple of products or a couple of news stories the situation would be different.

Whilst in reality I would prefer someone else did the boring stuff it would mean re-focussing my target market on possibly fast turn around, cheaper and once off clients, which also has its downsides as there is not much repeat business.

Ultimately I would'nt be doing this at all.

Ultimately I would'nt be doing this at all.

Me neither. I'd be wandering around in the Olympic mountain range and sailing in Puget Sound.