Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
Hi there guys I am using Flask for my backends so if I wanna send a request from client (js) to my backend (flask) I will normally use fetch()in js to send a request and I receive in my backend but the problem is that using Chrome developer tools all the guys are seeing to where I am sending a request and like I am geting tons of unwanted request to my backend which I not sent by my client(js) so guys are sending any way to prevent it
I have also tried API auth but the problem is they are seeing my API keys and sending request please help me
The browser belongs to the user. It is completely under their control.
It is impossible to send data from the browser without the user being able to inspect it.
You can't secure the browser from the user who owns it.
There is no way to restrict an API so that it can only be accessed by your code running in the user's browser.
While every thing on the client belongs to the client , HTTP response headers can be leveraged to tighten up the security of web apps, typically just by adding a few lines of code. Depending on the technology your using
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 12 months ago.
The community reviewed whether to reopen this question 12 months ago and left it closed:
Needs more focus Update the question so it focuses on one problem only by editing this post.
Improve this question
I want to prevent CSRF attacks on my API (Express app nodejs)
I searched google and youtube but I can't find way to do it. On the youtube tutorial it said generate a token and send it to the client side but won't the hacker just send a request to get csrf token and bypass the csrf thingy? I'm confused please help.
A traditional CSRF attack works by placing a pre-populated form on the the attacker's site and submitting it cross-origin. It then uses credentials that are automatically sent with the request to send the attacker's data under the guise of the browser owner's identity.
By putting a token in both the cookies (or session) and the form and checking to see if they match, you can defend against this. The attacker can't just send a request to get the CSRF token because:
If they get the user to make the request then the Same Origin Policy prevents them from reading the response with the token in it
If they make the request directly then they won't have the user's cookies so will get a different (non-matching) token
When you are dealing with a web service (and you need to make that API work across origins), things are different. The key defence here is to design the API so either:
The credentials go somewhere where they won't be sent automatically (e.g. in an Authorization header) so the attacker can't make the request with them.
The request is in a format where it requires a CORS preflight request to send (e.g. with a Content-Type: application/json request header).
… or both.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
I'm working with an api that is formatted in XML and it hasn't been secured/received an SSL certificate (HTTPS). Is there a way to bypass this and display the data?
I've tested to make sure it wasn't my code that was the problem. I'm using a simple fetch to output the code in my console. It works properly with other secure api's like the star wars api.
fetch(Url)
.then(data => {
return data.xml()
})
.then(res => {
console.log(res)
})
I'm just trying to output basic data in either JSON or XML format
When on an HTTPS connection, you cannot connect to an HTTP endpoint like you're trying.
The best solution would be to fix the API so that it supports HTTPS, but if that's not possible, you can bounce the request off of your own (HTTPS-enabled) backend, have that backend make the HTTP request to the API, and have your backend reply with the response it receives.
If this is for your own testing and not for a production facing site I'd try adding the http endpoint to this Chrome flag:
You can get to Chrome flags by putting chrome://flags in the Chrome address bar.
Note: I haven't tested this. It's entirely possible this is only useful for "powerful features" as described here.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 6 years ago.
Improve this question
I'm using this template and there's a sample page which covers notifications. There are numerous buttons which show a notification when pressed. I took a look at the button's source:
<a id="toastr_show" href="#" class="btn btn-dark">Show</a>
I found the javascript source code.
function runToastr(obj){
$(obj.elem).on( "click", function(e) {
e.preventDefault();
toastr.options.closeButton = false;
toastr.remove();
switch(obj.type){
...
I wonder how I can 'call' this notification from php?
There are a few ways for you.
HTML5 solutions:
Websocket
Server-sent Events
Websocket create a two-way tunnel and Server-sent Events create a one-way tunnel from server to client. Both of them can make your server side program send a "notification" to your client, so that you can display it via Javascript.
How ever, HTML5 doesn't work in any browser. And its programing is kind of difficult.
The easiest way is to make a AJAX request periodicity. However, it means the notification is not real time. And a short period will cost batteries on your client and resources on your server
To trigger notifications from a server side to a client, the following technologies may be implemented:
1. Websockets. This is a relatively new feature in HTML5. It keeps a CPU-less-intensive port to the server open and listens to that port. Now the server passes whatever it must pass to the client and the client renders it real time. Its application is in chat applications. But so far, PHP capability for that is kinda limited. NodeJS however has Socket.IO with a lot more. You might want to read about Websockets here.
2. A clever workaround is to request for notifications using an interval request. You do this by simply wrapping the request inside a JavaScript setInterval() method. If you are using jQuery, be sure to put this into the $(document).ready(function() {});
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
Scenario
I am developing some sort of web based cloud storage service.
One feature is that the user can initiate transcoding of video files (so that they can be streamed on different devices).
This takes some time and I want to display a progress bar to the user.
My plan is to submit the job using ajax where it is written into a database. The ajax call returns the ID of the job in the database, and this id will be used as the channel for notifications.
So when the job has been submitted, the client subscribes to the channel "job-databaseID" on some self hosted websocket server.
Transcoding workers then periodically select pending jobs from the database table and process them. While processing they push their progress to the websocket server to the same channel where the client is listening.
The front-end application should be a website with javascript and jquery.
The back end should be programmed in PHP and MySQL and an apache or nginx webserver.
Question
Is this a proper way of using websockets?
Usually I see websockets employed in a on-to-many notification scenario. Here it is a one-to-one notification scenario.
Are there maby better alterantives for this kind one way information flow?
Also I often see channels for Websocket scenarios to be more or less long-lived. Here it is very short-lived. Would it maby make more sense to make one channel per user?
What would be a good websocket server for that kind of use? Ideally the channels would be auto-removed once no client is connected to it any more and auto-created the same way, so I don't need to take care of that.
Did you take a look at Server Sent Events as you are initiating your request via ajax so you aren't performing bidirectional communication; you only want server to push you updates when it has ones
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
A while ago I built a small app using python which allowed users to create small chat rooms. I implemented the server as nothing more than a rest API. The client makes requests and the server gives the appropriate response. The response is recieved by a JavaScript client which keeps on making subsequent requests to the server for updated data. Currently the client sends around 1 request every 3 seconds. I would like my app to be real-time(updates appearing as soon as changes are made), for that to happen I would have to narrow the request interval further to around 0.7 seconds. The problem with this approach is that it is not entirely scalable. Is there any way the server can send data to the client when updates occur?
Instead of having the clients pull the server for data, you can have the server push data to the client. The most common protocol to do so (and it is quite close to the standard HTTP protocol) is called WebSockets. WebSockets are an evolving standard, not all browsers support them equally.
Also, in case you use a reverse proxy server at the edge of your network, not all reverse proxy servers support WebSockets, which may also prevent you from using WebSockets.
See: http://en.wikipedia.org/wiki/WebSocket