From 740c1e79ca7981bf9357cd3bc7ea895e226f6ce0 Mon Sep 17 00:00:00 2001
From: bpetschowitsch <bernhard.petschowitsch@hochschule-burgenland.at>
Date: Thu, 16 Apr 2026 09:23:11 +0200
Subject: [PATCH] ...

---
 05_php_addressbook.md |  99 ----------------------------
 06_xss_demo.md        |  25 -------
 07_CSP.md             | 147 ------------------------------------------
 3 files changed, 271 deletions(-)
 delete mode 100644 05_php_addressbook.md
 delete mode 100644 06_xss_demo.md
 delete mode 100644 07_CSP.md

diff --git a/05_php_addressbook.md b/05_php_addressbook.md
deleted file mode 100644
index f9a23bb..0000000
--- a/05_php_addressbook.md
+++ /dev/null
@@ -1,99 +0,0 @@
-# Enable PHP in Nginx
-
-run in bash:
-
-```bash
-sudo apt install php-fpm -y
-```
-
-get php version/sock
-
-```bash
-ls -l /run/php/*.sock
-```
-
-add to nginx config (server section):
-
-```nginx
-# pass PHP scripts to FastCGI server
-#
-location ~ \.php$ {
-        include snippets/fastcgi-php.conf;
-        fastcgi_pass unix:/run/php/php8.4-fpm.sock; # <-- use version from output above!
-}
-```
-
-validate nginx configuration & restart if ok:
-
-```bash
-sudo nginx -t
-sudo systemctl reload nginx
-```
-
-create Demo-App:
-
-```bash
-sudo vi /var/www/*domain-name*/*webapp*.php
-```
-
-## Demo Webapp (Addressbook)
-
-```php
-<?php
-// Wir simulieren eine einfache Speicherung in einer Textdatei
-$db_file = 'names.txt';
-
-// 1. Speichern, wenn das Formular abgeschickt wurde
-if (isset($_POST['name'])) {
-    file_put_contents($db_file, $_POST['name'] . PHP_EOL, FILE_APPEND);
-}
-
-// 2. Auslesen der Namen
-$names = file_exists($db_file) ? file($db_file) : [];
-?>
-
-<!DOCTYPE html>
-<html>
-<head>
-    <title>Demo: Addressbook</title>
-</head>
-<body>
-
-    <h2>Einfaches Adressbuch</h2>
-    
-    <form method="POST">
-        <input type="text" name="name" placeholder="Name eingeben..." required>
-        <button type="submit">Speichern</button>
-    </form>
-
-    <hr>
-
-    <h3>Eintr&auml;ge:</h3>
-    <?php foreach ($names as $name): ?>
-        <div class="entry">
-            Benutzer: <?php echo $name; ?>
-        </div>
-    <?php endforeach; ?>
-
-    <p><small><a href="?clear=1">Liste leeren</a></small></p>
-    <?php if(isset($_GET['clear'])) { file_put_contents($db_file, ""); } ?>
-
-</body>
-</html>
-```
-
-create txt file (as database):
-
-```bash
-cd /var/www/*domain-name*
-sudo touch names.txt
-sudo chown www-data:www-data names.txt
-sudo chown www-data:www-data *webapp*
-```
-
-testing the webapp:
-
-```
-http://*domain-name*/*webapp*.php
-```
-
diff --git a/06_xss_demo.md b/06_xss_demo.md
deleted file mode 100644
index f4b6281..0000000
--- a/06_xss_demo.md
+++ /dev/null
@@ -1,25 +0,0 @@
-# XSS/CSP Demo
-
-## Environment
-Demo App -> [Addressbook](enable_php.md)
-
-## Demo
-check that csp is not set in nginx
-
-## Browser
-add following name & press "Speichern":
-
-```html
-Charlie <div id="out"></div><script>document.onkeypress = function(e) {document.getElementById('out').innerHTML += e.key};</script>
-```
-
-and now type on your keyboard...
-
-## CSP
-set CSP in nginx config
-
-```nginx
-add_header Content-Security-Policy "default-src 'self'; script-src 'self';" always;
-```
-
-repeat the Demo.
\ No newline at end of file
diff --git a/07_CSP.md b/07_CSP.md
deleted file mode 100644
index 6ed54fc..0000000
--- a/07_CSP.md
+++ /dev/null
@@ -1,147 +0,0 @@
-# CSP
-
-## XSS/CSP Demo
-Using Demo-App [Addressbook](enable_php.md)
-
-Using Instructions [XSS-Demo](xss_demo.md)
-
-## Preparing Website for exercise
-as simple playground...add following code-block to the index.html (or index.nginx-debian.html) before **`</body>`**
-
-```html
-<input id="hello_world" type="button" value="Hello World!" />
-
-<script nonce="nginx_nonce">
-document.getElementById("hello_world").addEventListener('click', hello);
-
-function hello() {
-        alert("hello world!");
-}
-</script>
-```
-
-and add a style tag (within head-section):
-
-```html
-<style nonce="nginx_nonce">
-  h1 {color:red;}
-</style>
-```
-
-## CSP general
-
-Set the Content Security Policy. Edit the site configuration.
-
-```nginx
-server {
-    [...]
-    add_header Content-Security-Policy "default-src 'self';" always;    # only resources from our webserver are loaded. Inline script/css tags are blocked as well!
-    [...]
-}
-```
-
-afterwards compare the website to before (comment/uncomment the CSP header).
-
-## CSP nonce
-a simple example to generate a dynamic nonce per request...
-edit the site configuration.
-
-```nginx
-server {
-    [...]
-    # nonce
-    set $nonce $request_id;
-    add_header Content-Security-Policy "default-src 'self' 'nonce-$nonce';" always;    # only resources from our webserver are loaded
-    sub_filter 'nginx_nonce' "$nonce";
-    sub_filter_once off;
-    sub_filter_types text/html;
-    [...]
-}
-```
-
-Note: *nginx_nonce* has to match to the value provided in the *script* and *style* tag.
-
-Note2: Test the website again. The style and script tags should now be allowed, as they are whitelisted by using the nonce tag.
-
-## CSP hash
-nonce requires will and option to modify the source code of webapp...
-another option is using hash-values in the CSP header.
-
-comment the lines from above to have the style and script stop working again.
-
-get hash-values from the debug-console of the browser and add it to the CSP instruction.
-![firefox debug-console](./images/get_csp_hash.png)
-
-```nginx
-server {
-    [...]
-    # csp hash
-    add_header Content-Security-Policy "default-src 'self' 'nonce-$nonce' 'sha256-4qxDpGEJUcxjIP3NOEWlTKBLTDQ5y6fmRuEEO6ZT9Q0=' 'sha256-IKS/bMyKMqxTwEMnsaKruaZIbhySJGL+EebDepTqwUM=';" always;    # only resources from our webserver are loaded
-    [...]
-}
-```
-
-Note: Test the website again. The style and script tags should now be allowed, as they are whitelisted by providing their hash-value.
-
-## CSP hash - external ressource
-
-Example Ressource to integrate (can be internal or external hosted !):
-
-```url
-https://code.jquery.com/jquery-3.7.1.min.js
-```
-
-Note: jquery is (was) a popular library supporting in handling of events, dom-manipulation and request handling.
-
-for external resources, calculate the hash using:
-
-```bash
-curl -s https://*domain*/*path-to-resource* | openssl dgst -sha256 -binary | openssl base64 -A
-```
-
-integrate the library to your website, by adding following script-tag:
-
-```html
-[...]
-        <script src="https://code.jquery.com/jquery-3.7.1.min.js"
-            integrity="sha256-/JqT3SQfawRcv/BIHPThkBvs0OEvtFFmqPF/lYI/Cxo="
-            crossorigin="anonymous">
-        </script>
-    </body>
-</html>
-```
-
-Explanation:
- - src: is the URL for fetching the resource
- - integrity: the hash value of resource (to ensure it is exactly the expected resource) -> mandatory when combined with CSP hash
- - crossorigin: explicit usage of CORS. Note: Legacy tags like "script", "img", ... historically do not use CORS, but are limited in usage (e.g. browser blocks full access to resources -> in case of bug, you see script failure but not what exactly). For usage of integrity, CORS is mandatory.
-
-### Verify
-
-refresh your website and use the development console (network analyse) to verify the resource is loaded.
-
-enable CSP:
-
-```nginx
-server {
-    [...]
-    add_header Content-Security-Policy "default-src 'self';" always;    # only resources from our webserver are loaded. Inline script/css tags are blocked as well!
-    [...]
-}
-```
-
-Verify again. The ressource is no longer loaded, as it is blocked by CSP.
-
-### enable external ressources
-
-modify the CSP header:
-
-```nginx
-server {
-    [...]
-    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'sha256-/JqT3SQfawRcv/BIHPThkBvs0OEvtFFmqPF/lYI/Cxo=';" always;
-    [...]
-}
-```
-
-Verify again. The ressource will now be loaded again as it is whitelisted using its hash-value.
\ No newline at end of file