I am trying to build an error reporting service for my web page. The idea is simple. If an error pops up in a client browser while visiting, I want an error handler to send me notofication about it. My page is static, so I want to avoid adding server side components for that. Can I use ajax request for example and use a gmail account to send the mail to me? I guess ajax does not do cross domain? Maybe there is some other option?
EDIT
My primary language is Java.
What about Google App engine? I can host an app there that can send email. Not sure how I can interact with that app though?
Other idea - if I must use server side component, maybe the best option is to find ready web application (I have java application server running on my host) that sends mail and deploy it. Then I can contact the mail sender with Ajax.
The best way to do this is the following:
You need to set up a web service that accepts the error information.
The web service will generate the email content and send to gmail.
The client (via ajax) will consume this web service and post the error information.
This way your credentials are secure on your server. If you indicate the development language, we may be able to help with a bit more details.
Bob
If you were to be using GMail then you would:
Be using a server side component (GMail's scripts!)
Have to expose your GMail credentials to every visitor (bad!)
Do cross domain Ajax with a third party service (which requires a pretty recent browser and the cooperation of the third party).
You need your own server side handler for this.
You can, ... theoretically. You do not want to, because you would have to send the authentication information for your e-mail account to the client.
Related
I've been tasked with creating an LDAP authentication on a front-end Javascript application.
I am extremely limited on time and have a very small toolset. The toolset is the front-end javascript application and an available C# application which I can make post and get requests to.
I was thinking I could simply make a call such as https://mybackend.com/authenticate
Where I would post a username and password.
And on the backend this would return whether or not the user was valid in the AD. Which I can then use on the front-end to ensure the user has logged in.
Is this approach extremely unsecure or does it have flaws? I'm thinking that if I am posting to the backend above not much will be exposed.
Any tips would be immensely helpful.
Is this approach extremely unsecure or does it have flaws?
This is not insecure, it's the normal way you would do it. One could add more security by adding a CSRF token, which would be validated on the server for any form submit.
And yes, you should send all the data over HTTPS, this will encrypt the payload.
What you are doing is normal for front-end JavaScript framework like Angular. As long as you use Https, you should be ok.
Only issue is how you will handle the subsequence page requests.
There are two ways to handle it –
Easiest way is to use ASP.Net MVC as login page, and use Cookie Owin Middleware. Since same cookie is sent back to server on API calls, you do not need to do any extra works. You can download my sample code at GitHub - OwinAuthenticationService.
Another way is to use Bearer Token in which you will have to send the same token back to server on every page request.
All method are insecure.
Especially without HTTPS.
But you can put the Authentications in the header of message and use a token generated with a key that only server know.
I have a PHP app that renders HTML pages for a social media application that I'm creating. Then, JavaScript initializes and makes things interactive. The PHP side of things logs into a separate webservice with curl.
Now, I can't figure out a way to share the session started in PHP with JavaScript, so when I make a AJAX request in JavaScript to the data server, its authenticated.
Is there a way to share a PHP session with JavaScript? Or to share authentication initially created with PHP with JavaScript?
I would say it sounds like there is something wrong with your architecture. In my opinion, the web server itself, should be the only peer providing data to the client/browser. It's a two party conversation only.
When trying to hit a third-party server from the browser, you violate the browsers Same-Origin Policy, unless you specifically allow CORS by explicitly setting various request and response headers. - and you would only do so in very special situations.
The best solution might be to create proxy services at the web server, that can be hit directly (locally) by the browser. The web server can then (acting as controller) forward the data-request to the data server (model) and finally return the response to the browser (view).
You can read out the session cookie set by PHP (SID I guess) through JavaScript containing the session ID.
When you make a query, use
http://example.com/?sid=SessionID
I am developing a RESTfull web services. This web services will serve as a Web API to the outside world to get some data from our system. So, it will be consumed by other external clients: Mobile Apps, JavaScript clients, etc. For security, it will require Basic HTTP Authentication: user name and password sent as clear text over HTTPS.
So, I want to put together a proof of concept JavaScript application to demonstrate how one would use this API. But I don't want to hard-code user name/password in JavaScript code, since it can be viewed in page HTML source. In fact I don't want JavaScript to be involved in Authentication at all. So, I was thinking having another web page for server to server authentication. So that client's server sends credential to WEB Appi server, then Web API server issues a token valid for one session only, after that Client server uses this token in JavaScript.
Is this the right approach? If not, what's the "best" solutions for this scenario? I am sure this was done before. Any articles, or code samples will be much appreciated. Thank you
I am developping a mobile HTML/CSS/JS app with a contact form.
For now I use a "mailto" to send the message, but it is not efficient because the user is sent to his email app before sending.
How can I send the message directly from the app ?
thanks
Write an application that runs on the server of you website.
If you don't want any server side code then you either need to use any third party Javascript application. (API)
or you can try this also :
Email
1) For third party API you can try this also (Never tried it but looks good enough)
www.mycontactform.com
2) Mail Chimp (as Robert suggested)
You will not be able to do this purely from javascript. You will need a server side component to connect to an SMTP server in order to be able to send your email.
Even if you were able to somehow develop an SMTP client for javascript, the security risks involved would much outweigh the advantages. All your users will need to do to send email as you, is to go through your javascript code and get your SMTP credentials.
You can't do it by client side language. Use server side language like php to do that.
<?php
mail(to,subject,message,headers,parameters);
?>
Copied from w3school
I'm currently planning to develop a HTML5 app. The basic concept is the following:
A user should be able to create a profile with username and password. The Server should be implemented in Ruby on Rails providing a JSONP Api (for Cross-Domain issues).
So the App will send Ajax requests to the Server and get responses from it.
My idea was now to transmit a session_key (generated by server) on the first response back to the client. Then the client has to authenticate himself with this token.
But now i have some issues.
How can i secure the first call of the client (when he is transmitting user and password)?
How can i protect the Session-key from beeing spyed out?
I am a complety noob in security aspects. Therefore it would be great if i could get some hints where to look at.
Secure your connection with SSL. This should require no changes in your code apart from putting 's' after 'http' ;-).
I used add a checksum to the ajax parameters (calculated using the submitted data), and then to crypt the hole ajax request into one string.
Somthing like sRequest=459fdjnfdw4r908vn....
sRequests holds my data (sUser=user&sPass=pass&iCheck=34564).
Edit: My client code was not public, compiled to an app.