In a static web app (nothing except html, css and javascript),
I'm searching for a method to protect a file (e.g. json) from being accessed.
That file should only be accessible by authenticated and approved users. (I don't know yet how authentication will be handled.)
I can hide the view of the content in the application with userapp.io e.g., but I can't prevent someone to read it if he wanted to.
Would this be possible?
I thought of putting the protected file on www.firebase.com, but I could not find any practical example.
I also found solutions with .htaccess, but I need to avoid server dependent solutions.
P.S.: Not asking for code here ;-), just advice to point me in the right direction will do.
Thanks in advance!
You can limit access through the web server (.htaccess), server-side code, or a third party solution. If you want to keep your app static and want to avoid modifying .htaccess, then your best bet is to find a third party file host that offers authentication. Would something like Box work for you?
If you're interested in putting your website on something like Weebly, then you can password protect certain pages.
Related
I was wondering if I could use PHP to do SSO between two different sub-domains. (ex: parappawithfries.com and *.parappawithfries.com). My config is not like it should be, because I use cloudflare to point my subs to a different 000webhost website. I know I should just use infinityfree, but I don't get https:// and subdomains. Lots of issues, but it it could be fixed, that'd be great. ANYWAY, I was wondering if I could do something like this in HTML.
<script src="https://parappawithfries.com/user.js"></script>
and in user.js (in the NON sub-domain) needs to set a cookie with the user's PHPSESSID copied over by JS by basically printing it as a variable. Can I do that with JS, AJAX, jQuery, or any way possible without using anything other than PHP, HTML, JS, AJAX, or jQuery?
Ok, ok lemme edit im sorry.
parappawithfries.com points to parappawithfries.000webhostapp.com.
It's subdomains don't point to a folder in parappawithfries.000webhostapp.com. it points to a DIFFERENT 000webhost site. Not a folder in parappawithfries.000webhostapp.com.
Oh yeah, btw, here is an example: https://imgur.com/a/giBwTwp
I need to edit... AGAIN (this is getting tiring)
I switched hosting from 000webhost to infinityfree and I got subdomains working. Time to see if it will work now...
In PHP if you setcookie() with a $domain parameter (e.g. parappawithfries.com), that cookie can be accessed by that domain and any subdomains.
https://secure.php.net/manual/en/function.setcookie.php
From there, you can make sure all your sites are set up to used a singular Memcached server, and they should all be able to share the same session(s).
Have a look at the below link for some details on setting this up.
https://www.digitalocean.com/community/tutorials/how-to-share-php-sessions-on-multiple-memcached-servers-on-ubuntu-14-04
Cookies cannot be shared across different domains; however, you could make use of another domain that would have the cookies and the authentication could take place there.
I am still new to Angular apps and wonder about some security concerns and would appreciate some tips on how to handle this.
Lets say I access my Amazon S3 Server from my Angular Application. That for I need to write somewhere my bucketname, accesskey and secret key... but since it is all visible to the user everybody can see the secret key which does not make him anymore secret of course.
I can also not use something like a SALT etc. to create user passwords for the same reason. All is visible in the end and even with minify and uglify anybody can reverse it as well.
What is the best approach to do things like this? So far I can only think of one thing and this is to not use javascript or angular at all in this cases and for example only access my S3 bucket via PHP. But this cant be the only way I hope?
For Firebase it looks the same problematic since everybody can see all infos right away and can connect basically to my DB and than add for example information he want to. Of course I can setup rules and make certain things obligated but this can be also sniffed out easy inside my code at the end which seems all pretty unsafe if I compare this to a php/mysql backend.
You can use the Cordova SecureStorage plugin to store access and/or session tokens:
https://github.com/Crypho/cordova-plugin-secure-storage
Since the Android implementation of this secure storage uses the KeyStore, the users must have a secure screen-lock set (like fingerprint, pattern or PIN). The plugin provides functions to check this, so you will be able to give a warning (or block login) if this is not the case. Without a locked screen there is no way to save your keys in a secure way on Android.
I know this is not the right "use" of Javascript. But my company wants to give access to a Javascript file to only particular client (for example clients who subscribe to a special plan). For exemple, if we provide a script to a client and 5 users can access to it, how can i authorize the access to only 5 users and not more?
Because if we don't restrain the access, the client can take the script and give it to anyone (and we will loose a lot of money, because we are selling our knowledge, and our knowledge is this script)
For now the only way to secure our code is by using NodeJS, so the client can't see the script because he only see the generated html page. But we can have the case which the whole server is hosted by the client. So anyone can access to the script, and we want to prevent this case.
So, is there any way to setup a server licence-like for a web application?
(I already know about JS minimizer, and obfuscator, but this is not the kind of things I m looking for)
Thanks in advance
JavaScript is a client side script language, that means it's hard to protect your knowledge.
Even if you minimize or obfuscate your script, people can send it to others and it'll still work.
Inspired by video protecting, I have an idea to protect your knowledge.
You can insert a log script that send logs with your custom's id. If your custom share the script to others, you can know it.
Another way is to insert a fragment of useless code, which can track the custom id, like:
var userId = zo1vjiw73;
Then if you see some other website are using your code, you can easily know who shared the script.
i'm experimenting by mounting a website hosted on my Dropbox Public folder. Files can my accesed and I used my domain name to redirect to de index.html public url.
I can run javascript, bootstrap, jquery and that stuff but not php (for obvious security reasons of dropbox).
I would like to save data from the website. We all know that JScript is not allowed to write files or anything outsite the browser or the webpage itself.
I've been searching for a webapp/service that provides me a database or something like that let me save data from javascript. Somethingthat get connected to my host and gives me an API to the service or something like that.
Anyone heard about something like this? Or any other way I can get data saved? (serializing a JS object to a file would be just enought to me)
From experience,
If you stick with trying to host something on Dropbox or anything that was not purpose meant for that, you will continually run into problems like this.
In the end spending (wasting) more time, energy and money on workarounds, rather than having fun in a real hosted environment (cloud based is more fun than DB!)
Do yourself a favor and move to a hosting platform, and spend that energy more wisely in creating a website or product (maybe that will make you money even)
There are plenty of free hosting platforms to get your started.
A quick serach on Google:
http://appfog.com/
https://pagodabox.com/
I need to figure out the best way to determine if someone is the actual owner of a website. I don't just mean the domain although in a lot of cases that might be the case.
My first inclination was to have them put a special comment in their HTML that my program can scrape. e.g.:
<!-- #webcode:1234 -->
One possible problem with that approach is someone in theory could add it in the comments on their page or some other way to add content. Although I'm not sure anything I have them do couldn't be gotten that way.
My other idea was since I was planning on also offering a JavaScript widget was to just scrape that although I didn't want to necessarily force them to add the widget.
<script type="text/javascript" src="http://yoursite.com/widget/widget/A4923D2342JF"></script>
What other mechanisms could be employed to determine ownership/control of a website?
Here are the options that Google uses for Domain verification:
Create a CNAME or TXT record in your
domain's DNS settings. These methods
require accessing DNS settings for
your domain at your domain host's
website. Which method you can choose
(CNAME or TXT record) depends on
what's offered in your Google Apps
control panel. We're currently
rolling out the TXT record method but
still ask many customers to create a
CNAME record, instead.
Upload an HTML file to your domain's
web server This method requires being
able to upload files to your domain's
web server. Try doing this if you
don't have access to your domain's
DNS settings.
Add a tag to your home page
This method is available only for
some customers (it's another new
method we're rolling out). It
requires accessing your domain's web
server but not uploading to it. Try
doing this if you have write access
to files on the server but can't
upload new files.
CNAME/TXT or uploading an HTML file to the root of the domain is the most secure, since it requires full control of the domain. If you want to be a bit more lax you could use a Meta tag in the head node, which would prevent someone from adding a comment to a page. All depends on how secure you want to be.
Do what Google does for their Webmaster Tools. Generate a unique key, and have them put it in a meta tag in the head of their front page. It's pretty unlikely that a user who does not own the site will be able to change the contents within the <head></head> tags. If they can, the site is vulnerable to almost any kind of vandalism, and is hopeless.
You could have them add your original idea but only accept the comment in, say, the <header> tag of the website. This way you could avoid having them past the comment into a 'comments' section like you originally suggested.
In fact, I subscribed to a service that did just that: include the special comment in the header section of your page.
Make part of the requirement be that comment be inside of the <head> tag. Typically, even user generated content wouldn't make it's way into the head.
Also, your concern about the comment hack are probably unnecessary. Any comment system worth it's weight knows to escape comments so that the comment is not displayed as actual HTML markup.
Have them put a file with a hard to guess name on the server?
such as http://www.example.com/5gdbadcab234g3.txt
The only true way is to be able to access their fileserver. Anything transferred through HTTP can be reproduced.
If you don't have access to their server, then the best way would be to have an encrypted string embedded on the page (or in an image or some binary file on that page).
The string should be comprised of the URI, author, and timestamp. That way, even if someone does copy this string to their website, you would still be able to determine the author and the page. An added bonus is you'll be able to determine if there was a theft.
Granted, this is only as good as the algorithm that encrypts the page/author combination; hackers that are good at decrypting could get around this. Additionally, a dishonest author could create his own key for his page, thus you'd need to host the encryption so that no one could tinker with the timestamp. Also, this requires that all authors places the code on their page.
I know you mentioned that it isn't necessarily domain dependent but that would help. You could hash the domain (as they are unique) and send the person that string to put somewhere on their site either .txt or in the header as others have mentioned.
Then you store all their domains and their hashes in a database and your scraper would check that the domain it is scraping matches the hashed comment string, if it checks out then its fine.