Heroku - How do I prevent this error? - javascript

I have made a game called kotakio (with nodejs), and have it hosted on kotakio.herokuapp.com, I now have a custom domain name, under kotak.io, but when I try and go on it, it says that my connection isn't secure, I think this is because it uses the certificate for *.herokuapp.com, as it says that the server may be trying to trick me. Is there a way for me to prevent this without having to buy the SSL Endpoint addon, as it's 20$/month, and this is only a hobby project.

If you use hobby or professional dynos you could try the beta for default ssl encryption with no additional charges. Otherwise the only way to use custom domains with ssl without that warning is adding the addon...

Related

Setting up a development environment for working with 0Auth 2.0

I'm curious if anyone else has encountered this issue.
I am building an application that will authenticate users using Google 0Auth 2.0 + OpenID.
I've built a simple site just with HTML and CSS to hold the UI and I'm using live server in Vscode to view it.
In The Google developer console for oauth, you must set Authorised JavaScript origins for client-side applications. I assumed I would just set this to http://localhost:5500 for the port that live server uses but I always get the following error:
Authorization Error
Error 400: invalid_request
Permission denied to generate login hint for target domain.
I have got around the issue by just getting a domain and hosting for a test site and setting this as the "Authorised JavaScript origin". However is seems really clunky and I have to FTP all my files to my hosting provider every time I want to change my code.
I could also host everything on a Node.js server from my local machine but this would just cause the same issue as before.
My question isn't so much how to stop getting this error but what is the proper way of developing with OAuth 2.0 and is there any way to speed up the process/create a local environment that doesn't get the same errors.
Thanks for your help.
There is an answer to this Google question here that may help you.
The way I have always set up an OAuth environment is to try to avoid localhost and use more real world URLs on a Developer PC. I also like to split them like this which helps me to visualize the architecture:
Base URL
Represents
http://www.example.com -
Your web UIs
http://api.ecample.com
Your APIs
http://login.example.com
The Authorization Server
This approach can also give you more confidence that your code will work well in beowsers, in areas such as these:
CORS
Cookies
Content Security Policy
By default you just need to edit your hosts file and add an entry like this. It can work very well for demos to business people also.
127.0.0.1 localhost www.example.com api.example.com login.example.com
:1 localhost
ADVANCED SCENARIOS
At Curity we provide some quite advanced developer setups and this approach scales well, as in the below articles. The second of these also provides a script you can use to run locally over SSL, in case this is ever useful:
Single Page Apps End to End Developer Setup
Kubermetes End to End Developer Setup

Web Crypto API without ssl

I wrote a little webapp for secure message transfer to learn more about encryption, and wanted to show it to my friends and let them play with it a little, so I hosted it on my little server, and was shocked to find that the Web Crypto API (which I worked my ass off to get to work because it is not very specific in its error messages) REQUIRES SSL ( kinda defeats the purpouse of implementing your own encryption scheme in browsers)!
I already have another API running on that server with SSL, but instead of merging them I wanted to ask: Is there a way to circumvent the secure socket requirement of Web Crypto API, or is there another library out there which allows me to use the same or similar functions in a non-secure context?
The WebCrypto API specification(https://www.w3.org/TR/WebCryptoAPI/ ) does not restrict to SSL, but browser implementations require a "secure origin"
For example, Chrome requires https , wss, localhost or an extension. See https://stackoverflow.com/a/46671627/6371459
You would need to set up a SSL connection in order to use webcrypto. If you want to use another library (forge, pki.js, etc.) you will not have this restriction, although it is advisable to use SSL / TLS when using cryptography.
Although I haven't tried this, you could use a shim. https://github.com/vibornoff/webcrypto-shim
A shim is a javascript file that does the same thing as the built-in method.
It's used for older browsers that don't support the new methods.

Detect unsecure ssl-Connection

We are running an intranet application which uses a self-signed ssl cert.
The customer does trust our CA.
We are using this way since several years.
On some PCs our CA was not imported and the user does get the warning from the browser everyday.
Unfortunately the users do not tell us this, they just say "accept cert" again and again.
Is there a way to detect the trust of the page?
We are running the web application and would like to get a note, if a browser does accept the cert manually. Then we can get in touch with the admin of the PC and send him a hint that a PC does not trust our CA yet.
Maybe it is possible to detect this way JavaScript?
This is good:
We want to get a note if it looks like this:
Update I am not responsible for the client PC. I do not have access to them to install or manage certs.
This is possible, however browser support is not very high at the moment.
If you can live with not supporting anything but chromium based browsers and firefox (these do make up the majority of user agents), you can use
window.isSecureContext
to find out, if the browser trusts your cert.
So in order to log every time someone does not trust your cert you could do:
if (!window.isSecureContext){
//do ajax call
}
The information is not exposed through Javascript (reference Is there a way to get SSL certificate details using JavaScript?).
Depending on the situation, you can:
1) Use a group policy to deploy your CA to all PC's
2) Use other management software to deploy the CA
3) Use an actual trusted certificate authority (by either purchasing a certificate or using Let's Encrypt)
This an non-exhaustive list, so if you have more information about your environment, I can possible give other options.

SquareUp Payment: Can we turn off SSL verification for development server?

I am trying to implement SquareUp Payment Gateway on a website and using Square Connect V2. When I try to show SqPaymentForm form in JavaScript but getting the following error -
paymentform:1 Uncaught Error: SqPaymentForm can only be embedded on sites that use HTTPS.
I can see a function named setSSLVerification in sample code but it not working and also I can't find it in API. I wonder if there is any way to turn SSL verification.
Can we turn off SSL verification? Like for development server?
Update:
After trying couple of unsuccessful things, I finally purchased SSL for dev server. As that's the easiest and quick solution. Thanks everyone for your answers.
You can use localhost for testing payment forms, but you are not able to use other development environments (like external testing servers). I'd recommend either testing from your local machine, or getting a free certificate with a service like Let's Encrypt
just use following code.
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
in your c# code for bypass the security of HTTPS.

Javascript going through a Proxy

I am working on a project right now that requires some javascript for the proper functionality we are looking for. The problem we are running into is that the clients of this web-based app can only access the site through a proxy server (due to strict policies). This proxy server is stripping the javascript from the page and we are unable to replicate the exact proxy setting to determine a solution. Has anyone ran into this problem before and found a solution?
If there's a fixed set of client machines, and you can go for Firefox only, you might be able to do something using a Firefox extension or a bookmarklet that fetches the Javascript some other way that the proxy doesn't recognize (e.g. as base64 encoded data). It would however certainly require a load of work, and you may have to program the extension yourself... Probably cheaper to buy a new Proxy.
Some of our customers had these problems and we told them to access our app via HTTPS and that cleared the issue since most proxy won't filter secured traffic.

Categories

Resources