Adding a Twitter Feed To Your Site

With CF8 and the cffeed it’s easy to add a feed of your tweets to your site. I’ve found this is a really good way of getting followers on Twitter. I’ve used cfpod and cffeed below

I like to style my cfpod’s but IE (at least to IE7 and as per usual)  has “issues” so i just do a browser sniff and use a couple of variables to make the pod look the same in all browsers

<CFIF FindNoCase("msie", CGI.HTTP_USER_AGENT, "1")>
 <CFSET podstyle = "color:##000000;text-align:center">
 <CFSET podHT = "75">
 <CFELSE>
 <CFSET podstyle = "color:##FFFFCC;background-color:##6699CC;text-align:center">
 <CFSET podHT = "65">
 </CFIF>
 <cfpod headerStyle="#podStyle#"   name="twitpod" height="#podHT#" width="290" title="Me On Twitter - Latest">
 <div style="font-weight:normal;">
 <cfset feedurl="http://search.twitter.com/search.atom?q=yourTwitterName -@yourTwitterName" />
 <cffeed source="#feedurl#" properties="feedmeta" query="feeditems" />
 <cfoutput query="feeditems" maxrows="1">
 <span style="font-size:.7em;margin-top:-5px;">
 #dateformat(listfirst(feeditems.publisheddate,"T"), "mm/dd/yy :hh:mm")#
 </span>
 <span style="font-size:.8em;">
 #REReplaceNoCase(feeditems.Content, "<[^>]*>", "", "All")#<br>
 </span>
 </cfoutput>
 <a href = "http://twitter.com/yourTwitterName" style="text-decoration:underline;" target="_blank">Subscribe To My Twitter Feed</a>
 </div>
 </cfpod>

My twitter account is a corporate presence so I don’t want other people’s tweets showing on my site.  If you were just to set your feed url to

http://search.twitter.com/search.atom?q=yourTwitterName

you would get all hits for yourTwitterName, even those posts from others who are @replying to you.  This might not be an issue for some I want to make sure only -my- tweets show up in the feed. Just add

-@yourTwitterName

to the search.atom criteria and this will exclude any @yourTwitterName search results

One other thing you may notice is that I’ve added a html stripping rereplace funciton.

#REReplaceNoCase(feeditems.Content, “<[^>]*>”, “”, “All”)#

This is a good idea for feeds and any source for which you have no control over. I don’t want visitors to my site to have any issues with potential attacks propagated through Twitter (or any other service). We’ve already seen a couple of Twitter “worms” and I don’t need a potential XSS vulnerability introduced on my site. (paranoid..yes but that’s a -good- thing)

Advertisements

Protect your admin interface.

Just a quickie today.

Many websites require an admin interface to handle the public facing areas of  the site. While these can and should be protected with -strong- passwords, as a web developer we always want to provide an attacker with the smallest possible “attack surface”. What an attacker can’t access, they can’t hack*.

You can make a simple change to the application.cfm/cfc file of your admin interface to provide a greater level of security.

<cfswitch expression="#cgi.REMOTE_ADDR#">
<cfcase value="123.45.67.89">

— all your application.cfm code —

</cfcase>

<cfdefaultcase>

<cflocation url=”yourpublicfacingpage.cfm” addtoken=”no”>

</cfdefaultcase>

</cfswitch>

This limits access to your admin site to a single IP address. You could hard code this if it’s your site or you could make it a variable and read  from an ini file where a client sets the value.

If you want to allow access from multiple IPs just create a list

<cfcase value=”123.45.67.89, 123.45.65.90” delimiters=”,”>

To use this in application.cfc, just add the code to onRequestStart

* It’s important to note that this is -not- foolproof since cgi variables -can- be spoofed. There is some debate on whether remote_addr can be spoofed but since security best practice -always- assumes the worst, make sure you’ve got a nice, strong password to protect your admin interface.

Extra tip:

Use a strong -Username- as well as a strong password. It’s an awful lot harder to brute force attack a website with a username that won’t likley be found in a dictionary or by social engineering/target research

If your name is  Frank make your username Fr4an8k . This way an attacker has to figure our what the Uname is before even starting on the pwd. Most will simply move on. (and never, ever use a username such as “admin”)