Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 3 days ago.
This post was edited and submitted for review yesterday.
Improve this question
I am using a JavaScript script embedded on a third-party website to make an API call to our server. We are using Cross-Origin Resource Sharing so that the script on the third-party website can read the response of our API. The CORS headers are set by the cors npm-plugin, and everything works fine if the API response is immediate (doesn't take more than a few ms).
However, if there is even a slight delay (few hundred ms) due to database lookups etc., the API call fails with the generic message "failed to fetch".
Failed to fetch error + network tab in the dev console
The API call is a POST request with a JSON body, so a CORS preflight request is also initiated by the browser.
So far I have concluded that it must be a CORS issue, since the API call processes fine on the server side, however the response isn't accessible on the third-party website. The thing I don't understand is why is it working if there is no delay, but if there is a delay (even an artificial one, with setTimeout and no other changes), it doesn't work anymore. I could also add that in Postman or even executing the fetch request locally in a node.js script, everything works fine even with delays of 2 seconds or more. That's why I don't think it is a server side issue, but not 100% sure of course.
This is the fetch request from the script that is embedded on the third-party website:
The fetch request
I don't think it would be a misconfiguration on the server side, since it's just a plain POST endpoint with JSON and the npm "cors" plugin for handling the CORS headers. It's a node.js server built with "express", nothing out of the ordinary there. We are using the cors package without any additional configuration, simply with:
app.use(cors());
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
( I am a Beginner ).
why I should use an http request - response in Node JS when i can use the Socket.IO library?
which are the advanteges of http request - response ?
Thanks to everyone.
Web-sockets(Socket.io) and HTTP both are communication protocols. HTTP uses HTTP:// or HTTPS:// and web-socket uses ws:// or wss:// to communicate with client.
Web-sockets are designed to maintain real time connection with client. But HTTP not maintaining real time connection with client. It response to the request of the client then terminate connection with client.
So if server only provide something that doesn't change in real time or the client doesn't expect to see changes in real time then having real time connection to client is a waste of server resources(server load, traffic, etc.).
Example: Think you are searching something in google. Search results appeared in google is same as after 1 hour(or more) for the same keyword. search results are not change in real time. So think if google server use socket connection instead of HTTP connection with clients. Google servers have to maintain billions of simultaneous connections with their clients for nothing.
Also read performance comparison between web-sockets and HTTP.
Http requests are the main form of communication on the web. They are used by the client (your browser) to ask something from the server.
Socket.IO is used for 2 way communications between a client and a server. (Socket.IO uses Websockets for communication, or other fallback methods if the client does not support it)
The question here is what are you building ? A website => use simple requests. An online game => Socket.IO
If you need a two way communication, then use Socket.IO, overwise requests are just fine ;)
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
Hi there guys I am using Flask for my backends so if I wanna send a request from client (js) to my backend (flask) I will normally use fetch()in js to send a request and I receive in my backend but the problem is that using Chrome developer tools all the guys are seeing to where I am sending a request and like I am geting tons of unwanted request to my backend which I not sent by my client(js) so guys are sending any way to prevent it
I have also tried API auth but the problem is they are seeing my API keys and sending request please help me
The browser belongs to the user. It is completely under their control.
It is impossible to send data from the browser without the user being able to inspect it.
You can't secure the browser from the user who owns it.
There is no way to restrict an API so that it can only be accessed by your code running in the user's browser.
While every thing on the client belongs to the client , HTTP response headers can be leveraged to tighten up the security of web apps, typically just by adding a few lines of code. Depending on the technology your using
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
I'm working with an api that is formatted in XML and it hasn't been secured/received an SSL certificate (HTTPS). Is there a way to bypass this and display the data?
I've tested to make sure it wasn't my code that was the problem. I'm using a simple fetch to output the code in my console. It works properly with other secure api's like the star wars api.
fetch(Url)
.then(data => {
return data.xml()
})
.then(res => {
console.log(res)
})
I'm just trying to output basic data in either JSON or XML format
When on an HTTPS connection, you cannot connect to an HTTP endpoint like you're trying.
The best solution would be to fix the API so that it supports HTTPS, but if that's not possible, you can bounce the request off of your own (HTTPS-enabled) backend, have that backend make the HTTP request to the API, and have your backend reply with the response it receives.
If this is for your own testing and not for a production facing site I'd try adding the http endpoint to this Chrome flag:
You can get to Chrome flags by putting chrome://flags in the Chrome address bar.
Note: I haven't tested this. It's entirely possible this is only useful for "powerful features" as described here.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
A while ago I built a small app using python which allowed users to create small chat rooms. I implemented the server as nothing more than a rest API. The client makes requests and the server gives the appropriate response. The response is recieved by a JavaScript client which keeps on making subsequent requests to the server for updated data. Currently the client sends around 1 request every 3 seconds. I would like my app to be real-time(updates appearing as soon as changes are made), for that to happen I would have to narrow the request interval further to around 0.7 seconds. The problem with this approach is that it is not entirely scalable. Is there any way the server can send data to the client when updates occur?
Instead of having the clients pull the server for data, you can have the server push data to the client. The most common protocol to do so (and it is quite close to the standard HTTP protocol) is called WebSockets. WebSockets are an evolving standard, not all browsers support them equally.
Also, in case you use a reverse proxy server at the edge of your network, not all reverse proxy servers support WebSockets, which may also prevent you from using WebSockets.
See: http://en.wikipedia.org/wiki/WebSocket
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
Scenario:
I have a webserver running php, I want to be able to be able to securely send a request to a separate server running nodejs and get a response back.
The node server will never need to send anything to the webserver by itself, e.g notifications/updates. So I don't think I need the 2 way communications that websockets would provide.
PHP sends a request to node, node processes the request, sends back data (most likely in JSON), php continues with it's script using the returned data.
Problem
I own the server running node, but the webserver is out in the wild. I need a way of making sure that any requests that come in to the node server are actually from the webserver not someone/something else, and I need the request and response data to be encrypted.
I have gathered I don't want to rely on something simple like checking ip addresses, I know that the webserver and the node sever will have to both have some shared secret information/algorithms to encode data. I could have a go at implementing this myself, but I know this problem is already solved with some encryption protocol / libraries.
I'm familiar with the concepts of encryption and keys, but I have never had to implement them.
Question
What is the best way to go about this?
What kind of encryption should/can I use, that is both supported by php and nodeJs?
What would be the potential security threats, if any?
I would suggest interact between two web servers using REST APIs.
REST APIs are used in these types of implementations.
If you can build proper authentication strategy, then the communication should be secure. If you enable SSL on Node, the communication will be encrypted. You can also limit by IP addresses, hostnames, and user agent strings.
Token based authentication with SSL should be good enough security. Utilize a strategy that implements nonce, and always have the tokens expire.
Implement CSRF strategy to prevent MITM attacks.
Build a token-based strategy that relies on common encryption methods, such as:
OAuth2
WSSE on Symfony2
CSRF on Express