I have a web application which uses Spring and Hibernate.
Sometimes I get the following message in browser when I try to access my web application:
Bad Request: Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit.
Same url works after, I clear all my cookies from browser. I ain't able to figure out what happens and why did i get this bad request ? I tried to search for concrete solution but couldn't find any.
Related
Is it possible for a webpage, like https://example.com perform an http request to localhost?
This is an uncommon situation. Let me explain:
My visitors have a local server running. They can access their server in a request to http://localhost:12039/wallet, which returns a json.
When the visitor opens my page (at example.com) could the JS in that page perform a request to their local server?
To make it even more complicated: the server don't add CORS header and the it also required an Basic Auth.
From postman, everything work as expected. But not from the browser (if not called from localhost)
I did some tests, but it's not working yet.
I'm not able to send the Authorization. When I run this code, there's a prompt from the browser, asking for username and password:
It's really hard to Google this terms. Most of the results are related to localhost calls for your own api during the development.
Ok, I have searched around the forums and googled for a solution but no one seems to have the exact same problem as me or at least no one has posted about it that I can find.
So the problem is I can make a request (using request module) on my personal computer to this API (to get data) but when I try make the same request on the companies work laptop WHILST being connected to the company network I am unable too make the same request (getting ECONNREFUSED error) despite the fact that I can navigate to the URL that I am trying to request on my companies work laptop whilst being connected to the company network using a browser.
However, if I disconnect from the companies network and connect to a hotspot/other WiFi I retrieve data using NodeJs request again.
The things I have tried. I have tried using built in HTTPS module and also passing in headers such as different port numbers (URL I am trying to request only works with port 443 it appears) and setting the User-Agent as well. I haven't tried request the data using my personal computer whilst connected to the companies network because I can not.
It seems to me that my company is detecting that I am requesting the data via a script and blocking it and not actually blocking the site itself. (so I cant even call and ask IT to white-list the site because it looks like it isn't being blocked anyways)
Any help will be appreciated. Thanks
You can try Ngrock https://ngrok.com/download
use ngrock http PORT
run you nodejs application and in another shell run ngrock, it will give you a unique public URL, which you can use for request data
I have a GAE application that uses a session to store something. There is an Android app that works with it, sending requests, the GAE uses the session when responding. Now I'm trying to make a JavaScript client that does the same thing as the Android does. It uses XMLHttpRequest to send Ajax requests (with CORS enabled) to the GAE app. The first request goes through fine, but the second one - where it needs to retrieve an object from thes ession - crashes with a NullPointerException when trying to read from the session.
These two requests were sent by the same page, one on load and one when a button is clicked by the user.
Anyone have any idea what's going wrong?
The problem was that as it was a cross-domain Ajax request the cookie with the session ID wasn't saved. To allow that to happen (in Chrome at least) the request needs to have withCredentials set to true. That means that on the server side no wildcard is allowed for Access-Control, and the Access-Control must be set to allow credentials.
https://developers.google.com/youtube/v3/guides/authentication
POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
Content-Type: application/x-www-form-urlencoded
client_id=21302922996.apps.googleusercontent.com&
client_secret=XTHhXh1SlUNgvyWGwDk1EjXB&
refresh_token=1/6BMfW9j53gdGImsixUH6kU5RsR4zwI9lUVX-tqf8JXQ&
grant_type=refresh_token
The developer documentation lists a way to refresh an access_token on the back end. Is there a way to do this with the front end javascript calls?
If you're using the client-side web applications flow, which is appropriate if you're writing code in JavaScript that runs in the browser, then there's no way to get back a refresh token and periodically refresh it to get an access token. The accounts.google.com server doesn't support CORS, for one thing, so it's not possible to send the HTTP POST refresh request from your JavaScript.
What you can take advantage of is the approval_prompt=auto parameter behavior, which means that if a user has previously authorized access to your OAuth 2 client id for the same scopes, requesting a new access token can be done without any user intervention. So you can effectively get new access tokens indefinitely.
I'd highly recommend letting the Google APIs JavaScript client library handle this for you. In addition to the samples in the docs, you can take a look at this simple example which shows how you can handle the OAuth 2 flow in a way that only requires initial authorization.
I'm currently planning to develop a HTML5 app. The basic concept is the following:
A user should be able to create a profile with username and password. The Server should be implemented in Ruby on Rails providing a JSONP Api (for Cross-Domain issues).
So the App will send Ajax requests to the Server and get responses from it.
My idea was now to transmit a session_key (generated by server) on the first response back to the client. Then the client has to authenticate himself with this token.
But now i have some issues.
How can i secure the first call of the client (when he is transmitting user and password)?
How can i protect the Session-key from beeing spyed out?
I am a complety noob in security aspects. Therefore it would be great if i could get some hints where to look at.
Secure your connection with SSL. This should require no changes in your code apart from putting 's' after 'http' ;-).
I used add a checksum to the ajax parameters (calculated using the submitted data), and then to crypt the hole ajax request into one string.
Somthing like sRequest=459fdjnfdw4r908vn....
sRequests holds my data (sUser=user&sPass=pass&iCheck=34564).
Edit: My client code was not public, compiled to an app.