Our security team recently change the service to become HTTPS (from http).
We can hit the main svc page, but accessing methods gives a 403 error now.
We tested it using Postman - do we need to configure the request differently now that it is HTTPS?
thanks.
Related
I'm new to Azure and trying to set up my nextjs client app and my ASP.NET Core backend app. Everything seems to play well now, except for file uploads. It's working on localhost, but in production the backend returns a 404 web page (attached image) before reaching the actual API endpoint. I've also successfully tested to make a multipart/form-data POST request in Postman from my computer.
The way I implemented this is that I'm proxying the upload from the browser through an api route (client's server side) to the backend. I have to go via the client server side to append a Bearer token from a httpOnly cookie.
I've enabled CORS in Startup.cs:
app.UseCors(builder => { builder.AllowAnyOrigin().AllowAnyHeader().AllowAnyMethod(); });
The frontend and backend apps are running in individual services and I've tried to enable CORS in the Azure portal as well, but there I could only allow origins, not headers and methods? The error message doesn't indicate CORS problems, but I just wanted make sure..
As far as I can see the requests look good, with correct URLs and origins. I suspect I'm missing some config in azure, but I didn't get any further by following the hints in the error message.
Any suggestions to what may cause this? Or where I can start looking. I'm not quite sure where to look for log output for this issue.
I finally got this working. I figured the host header in the proxy http request was unchanged. I only changed the URL for the proxy request, but I solved it by setting the host manually as well. This also explains why it was working at localhost, since both the client and backend was running at the same host.
I have IIS 8.5 on a server and a simple http GET ASP.NET Web API service hosted there which returns JSON object. When I access this service from localhost or any other server in my network (using browser, Postman, code) the service works. But when I try to access the same url from one specific server (again using browser, Postman, code) I am getting http error code 403 and html response with text:
"Access Denied. You are attempting to access a forbidden site. Consult your system administrator for details.".
The service does not have any kind of authentication and it never returns error 403. Has anybody ever met such a strange behavior?
I tried deploying a Heroku web app with my Flask backend (not on Heroku, actually on GCP) and got the following message in my browser's dev console:
Mixed Content: The page at 'https://x.herokuapp.com/' was loaded over
HTTPS, but requested an insecure XMLHttpRequest endpoint
'http://x:5000/endpoint'. This request has been blocked; the content
must be served over HTTPS.
I have little experience with serving and SSL, but the first temptation here would be to find a way to make Heroku okay with using http endpoints. And I'd love to avoid setting up SSL if possible.
What are my options from here?
Thanks!
In the end I realised that by applying my own http domain to the project (rather than using Heroku's domain), I am able to avoid the issue.
Then with http on the frontend, I was able to call http endpoints from my GCP server.
I have an HTML5/JS website on on domain, which uses an asp.mvc web service for CORS queries on another domain.
Everything works fine with HTTP -> HTTP however as we are now adding login and authentication mechanisms for user specific content we are wanting to enable HTTPS. However it just refuses to send the options request to the web service, just gives an "Aborted" status.
I am testing using Firefox and the web service is hosted on IIS7 with a self cert (generated with SelfSSL7).
Is there any known issues around this? I did check:
Cross domain request from HTTP to HTTPS aborts immediately
However it mentions the solution is to make sure the cert is trusted, and to my knowledge SelfSSL is doing this using the /T option when I call it. So is there anything else which needs to be changed to get this working?
You will unfortunately need to manually set this in firefox, although I believe you can override this behaviour if you manually set the profile configuration.
I have a https site say with url www.example.com. On this server, I've an application which is decoupled in front-end and back-end. The front-end is a gwt application and the back-end is a REST interface.
To call the rest interface, the front-end uses https, say with a url like https://www.example.com/api
however, when I'm trying to call the front-end using http://www.example.com, it is not making the call to rest interface when i'm using https://www.example.com, it is ok. Can someone explain the reason of this problem??
https://www.example.com and http://www.example.com are different URIs and nothing requires that a web server serve up the same content for both. Presumably your server isn't configured to do so.