I'am reading the 'Getting MEAN with mongo, express, angular and node' book made by Simon Holmes. I like it alot but i had a big question which doesn't Seems to be covered in the book, he is talking about rest-api through http request (i went a bit forward in the book and saw there was a login system) and that triggered me a bit isn't it risky to do everything in http. And my other question was when you load your rest api in Heroku (and all your website) are the request in https since they force https (i know it cause i couldnt load Google font due to me making the request in http)
isn't it risky to do everything in http
It's less secure. People can read any request in plain text.
when you load your rest api in Heroku (and all your website) are the
request in https
Whist you can use HTTP, you can make any request over HTTPS with no cost. When you upload your real app you will also want to configure your server to redirect to HTTPS too.
Related
Ok, I have searched around the forums and googled for a solution but no one seems to have the exact same problem as me or at least no one has posted about it that I can find.
So the problem is I can make a request (using request module) on my personal computer to this API (to get data) but when I try make the same request on the companies work laptop WHILST being connected to the company network I am unable too make the same request (getting ECONNREFUSED error) despite the fact that I can navigate to the URL that I am trying to request on my companies work laptop whilst being connected to the company network using a browser.
However, if I disconnect from the companies network and connect to a hotspot/other WiFi I retrieve data using NodeJs request again.
The things I have tried. I have tried using built in HTTPS module and also passing in headers such as different port numbers (URL I am trying to request only works with port 443 it appears) and setting the User-Agent as well. I haven't tried request the data using my personal computer whilst connected to the companies network because I can not.
It seems to me that my company is detecting that I am requesting the data via a script and blocking it and not actually blocking the site itself. (so I cant even call and ask IT to white-list the site because it looks like it isn't being blocked anyways)
Any help will be appreciated. Thanks
You can try Ngrock https://ngrok.com/download
use ngrock http PORT
run you nodejs application and in another shell run ngrock, it will give you a unique public URL, which you can use for request data
Not sure under which category my question falls. I'm in great confusion and really need some expert suggestions.
I have PHP site for E-commerce (Opencart) running on the domain- www.example.com and developed a PWA mobile website which is ready to be launched, at this point I have fallen into so many confusion.
I want to host a mobile site with subdomain m.example.com. The backend (REST API) is same for desktop and the mobile site which is hosted in example.com
when I make API calls from m.example.com to example.com preflight OPTION request is sent for each and every request which almost takes 200ms to 300ms.
There is an option to avoid OPTION requests by making the simple request, but not possible with my case as I have Token based authentication and need to token in every API call
To avoid OPTION requests, the option is to host the same REST API in m.example.com as well (just checked mobile.twitter.com API request goes to mobile.twitter.com), and both m.exampole.com and example.com sharing common Database.
This has another problem, any change in the API needs the update in both sites.
My questions are
What is the optimal way of handling this situation?
if I'm going with m.example.com - the redirection can be done at front-end level or via a .htaccess rule, which option is ideal?
Is it a good idea to host REST API in m.example.com as well?
I'm creating a Progressive web app and need to make requests to an API which is HTTP and doesn't have HTTPS. Can't change the app to HTTP as PWA's require HTTPS, can't change request link to https.
Getting this error:
Mixed Content: The page at 'https://current-site.herokuapp.com/' was
loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint
'http://the-api.com/api/customer?$filter=contains(CustomerName,%20%27test%27)&$select=CustomerName,CustomerId&$top=10'.
This request has been blocked; the content must be served over HTTPS.
Hoping there's a way around this. Currently using nodejs and express to serve. Requests are being made from frontend vuejs with axios.
Thanks for helping.
Shy of using an insecure or old browser, or telling your users to use some command line flags before surfing the web, there is not a direct method for this. This is by design and would be a major security flaw if apps could do this directly.
However, if you're determined to use the insecure API, you can write an HTTPS proxy API on your server, that turns around and does the request to the real API over HTTP.
I had asked a question a while back about What is the difference between requiring an SSL cert and accepting an SSL cert?
For the most part that cleared up the differences between the two, however I am still a little unclear on the topic.
I have a few questions about this image:
Require SSL - What exactly does this mean from a client standpoint? Does it mean that in order for the webpage to appear the server needs to have an SSL certificate? How does this encryption work?
Client Certificates - I get that this all comes from the client, but is it something that I, as a webserver, would issue? What would be a particular situation where you would require a Client certificate?
Was also reading this article: Why SSL? The Purpose of using SSL Certificates
and while I do have Require SSL and Ignore Client certificates setup on specific pages, I don't see the below changes to the address bar:
Why do I not see that? What is required of me in order to get that working, because that leads me to believe there really isn't anything more secure with using HTTPS as opposed to HTTP
The reason that I am questioning this is because recently, when trying to dynamically load HTML into my website I was doing the loading using Javascript and HTTPS for the url, but I was getting domain errors saying that it was not coming from the same origin...
i.e. http://www.example.com & https://www.example.com - I don't get why I would get an error saying not the same origin? Not to mention I was also using the page with HTTPS (that is what was present in the address bar). Meanwhile while changing the link to HTTP seemed to fix that error.
Require SSL - What exactly does this mean from a client standpoint?
The documentation is a little unclear. It either means:
When a plain HTTP request is made to the server, it responds saying "The resource you want is at this HTTPS URL, go there to get it" or
It turns off plain HTTP support entirely
This is easy to test if you have an IIS server which supports SSL (I don't) and I would assume it is the first option.
Client Certificates - I get that this all comes from the client, but is it something that I, as a webserver, would issue? What would be a particular situation where you would require a Client certificate?
Generally, you would issue them in the capacity of "someone running a webserver, but possibly also other systems, which require a client certificate".
You use these in lieu of a username/password.
while I do have Require SSL and Ignore Client certificates setup on specific pages, I don't see the below changes to the address bar
It is hard to tell what the issue is when you don't show us what you see on your own site.
i.e. http://www.example.com & https://www.example.com - I don't get why I would get an error saying not the same origin?
The rules for origins are quite strict.
The hostname must be the same (it is)
The port must be the same (it isn't, you have 80 and 443, which are the defaults for HTTP and HTTPS)
The scheme must be the same (HTTP and HTTPS are not the same)
You should mitigate this by using SSL everywhere. Don't use plain HTTP for some things and HTTPS for others.
It's possible that the lack of notification from the browser that the connection is secure (as mentioned in the previous section) is due to you loading other resources over HTTP into the page, but without a test case it is hard to tell.
I'm working on a single page app that uses Backbone.js and marionette on the front end, and Django with Tastypie on the back. I just added a ssl certificate to the web server, and redirected all the http traffic to https.
Everything seems to work fine except for the backbone (sync) request that continues to send request over http, causing the browser to block those requests, and I don't know how to tell backbone to use https by default.
The backbone models url/urlroot are relative so they should take the same protocol as the rest of the site right? Thanks,
Backbone.sync is a wrapper around jQuery.ajax(...) in the end. You are correct that Backbone (via jQuery) should use the protocol of the hosting page. And the Same Origin Policy dictates the browser reject any request made to a different host, port, or protocol.
All this suggests the way you're hosting the page is getting jQuery's signals crossed. If you access the page directly via HTTPS instead of relying on the HTTP --> HTTPS redirect, does it work? If so, the problem isn't a Backbone one, but a hosting one.