![]() ![]() If you are using Apache as webserver it is very important that you also disable “mod_status” because with this setting enabled anyone can see statistics about your visitors. Therefore you should not rely on analytic tools such as Google Analytics and Piwik to work on your onion-domain, instead you could let your web server log the requests and use a log analyzer to see number of users and traffic your onion gets. There is often no need to track users on Tor because they are anonymous as in they often leave the same User Agent and IP-address since they almost exclusive use TBB and therefore have the same User Agent and your web server will see the IP as 127.0.0.1 if they are connecting via the Tor network. Note that CSP is supported in Tor Browser Bundle and you should use it because attacks such as XSS and CSRF are still very possible on onion-domains! Speaking of CSP, if you have the report-uri-directive you must point that to your onion if you are hosting the CSP-violate-logger locally. If you are using CSP you could use the ‘self’-directive because the browser will interpret that as the onion-domain in this case. The best fix is to never direct link resources in your code, that is “ “, instead you should just have it as “/scripts/jquery.js” ![]() If a user only gets resources via the onion-domain the web server will only see 127.0.0.1 as IP. This is because the web server will see the request and therefore the current exit relay for that specific user. Verification is important! Without Extended Verification certificates you need to find another way for the user to verify that he/she is on the correct domain.Ī user should never need to get resources (images, CSS and scripts) from your main domain if they are using your onion-domain.Tracking is often useless for anonymous users.Have in mind that most users will have JavaScript and Flash disabled (due to Tor Browser Bundle).The user should only get resources from your onion domain. ![]() But first I need to clarify a healthy security design on Tor. This blog post will teach a few tips and tricks you can use when deploying an onion-domain as an alternative way to use your website. onion is a complete different domain than your regular one you often need to adjust your settings so the site works with good security. When deploying an onion there are a few things you need to have in mind because Tor-users may be more meticulous about their integrity. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |