I have a google API account and would like to restrict its (ab)use by using the choice offered by google to restrict access to certain referrers.
Today I have set a restriction on
localhost
*.mywebsite.com/*
And all works smoothly.
But I am wondering: there is in anyway a secret key and nobody without this secret key can access our Google Data API quota.
But as google writes on the Security page "Restrictions prevent unauthorized use and quota theft."
So I guess it's a extra layer of security: if someone was to steal/find our secret key, then he would still be blocked by this second layer of security as only websites authorized can access our quota.
But then my question is: nobody can make requests coming from .mywebsite.com/ as we own this domain, but what about localhost ? I mean we need it (a lot!) to make our requests when developing locally but I guess anybody who would steal/find our secret key could add 'localhost' too and make requests form his localhost server, thus putting our quota to zero.
so the whole point of the url referrer to avoid abuse for people having the key is "defeated" if you add localhost...
Am I missing something here ? should we remove localhost as a URL referrer restriction as a bad security practice ?
Related
I have two domains
Example :
a.com and b.com
I try to implement SSO Cross-domain authentication for these two websites
I refer to this link reference How youtube gets logged in to gmail account without getting redirected? to implement like Gmail and YouTube
I have doubt about that
How to send tokens from one domain to another domain using iframe
How to pass tokens in a secure way
If I use an intermediate domain how to prevent that domain call for accessing cookies value I want to set the cookies in the second domain
Please help me to implement I searched but the sample code is not available in asp.net
have you tried this method?
Using Reverse Proxy
As #David suggested, use a reverse proxy like Nginx or HAPorxy to serve both the applications from the same domain - protocol://host:port. All three things should be equal.
Using cookies instead of LocalStorage
If you use cookies instead of LocalStorage, then host ports do not participate in determining site policy. So two application running on the same host but the different port will share cookie without any extra work. To protect the cookie, use an HTTP-only cookie, same-site cookie.
Using URL to share - IFrame only
If you are using iFrame, then you can use URL to share the token. When the outer window is loading the iFrame, send this information via hash like http://localhost:8081/somepage#token=1234
Using hash will allow the page to send data to an inner page without being sent over the wire.
Using window.postMessage - IFrame only
Using window.postMessage, you can simply pass the required data to the inner window/iFrame. As long as you control both the endpoints, you can easily do cross-domain message sending.
In the end, it really depends on your security requirements, ease-of-maintenance, etc.
The best of this is using oAuth https://oauth.net/ provides a comprehensive definition of this.
There are many open-source implementations of oAuth consumer and server available.
The concept is that a third URL will authenticate and maintain the primary session and pass tokens via URL on redirect. The consumers can utilize tokens to request the server for details directly.
Overall benifit is that you will get implementations via open-source communities in a language of your choice, and you will be able to utilise third-party logins. There are other standards you can look into as well are SAML , OpenID and LDAP and products like shibbobleth,CAS and Azure AD.
How to prevent someone just taking my API keys from the client side javascript code and starting to use my HERE subscription for some other use.
I noticed HERE provide an option to secure the API keys for a certain domain on the applications management page: "Secure app credentials against a specific domain". I have set up this option and also put domain there but I do not see any change on my app behavior.
The application still continue working fine on my PC. Shouldn't the HERE API stop working as web server is running on localhost and not on the defined domain.
My app is running fully on browser, and only static files come from the server (http://localhost:8083/index.html). I am using the HERE javascript API.
I tested also running the app on external cloud service on different domain than localhost. Results are the same. My conclusion is that the setting "Secure app credentials against a specific domain" just has no impact and does not work. Checked also the api response headers and all origins are accepted.
Access-Control-Allow-Origin: *
In your HERE dashboard, you can set the application id and application code to only work on a particular domain or set of domains. If the tokens are fixed to a domain, it won't matter if someone takes your tokens because only the listed domains can use them. If you don't secure the tokens to a domain, then someone will be able to use your tokens if they find them.
How do browsers share credentials belonging to one domain with other? As I asked in question, if I log into one service, I'm automatically logged into other service? What authentication scheme is this and how are credentials shared?
The answer is that they use OAuth or something like it. You can read about it at https://en.wikipedia.org/wiki/OAuth or just google for OAuth. Only one site receives your username and password. The others are granted permissions by that site.
By using API's.
For example: When you going to Youtube and you want to log in, then Youtube uses Googles API's to check if there is an account that equals with your details.
And in case of logging in automatically, just the same way, but then with a session or cookie I think.
They use cookies to save your (encrypted) information.
Cookies stored on your browser are readable by any website*, so in theory any website that knows how Google's authentication scheme works is able to "log you in" on a Google account.
Also, in theory, any person who "steals" your cookies and use it on their computer would be able to log in as you. However there are certainly security measures taken into consideration from Google before allowing you to authenticate using only a cookie (using IP and other request information to make sure that cookie belongs to you, etc)
As a proof of concept, if you delete all cookies on your browser created by google.com you will find out that you are logged out of Google's websites. And when you log back in, the cookies will be recreated.
Errata:
*Cookies can be read by websites under the same domain.
"Authentication requests to Firebase Simple Login are only permitted from domains you specify." and the two default domains are "localhost" and "127.0.0.1".
Let's say that my server's IP is "267.156.423.22". How do I setup my security rules so that that the two first domains can read specific data, but only the server can write it?
For example, if a client purchases a product, this fact and associated data needs to be noted on the client's account in the Firebase. For obvious security reasons this information must be 'writeable' by the server only.
The authorized domains configuration for Firebase Simple Login applies solely to OAuth-based authentication providers (Facebook, Twitter, and GitHub), and restricts requests to those origins in the browser.
That means if you're using one of those OAuth-based authentication providers, you'd want to enter in any origins which your end users will use to access the page (i.e. if your user accesses the page via subdomain.example.com, that'd the be origin to enter).
Keep in mind that Firebase Simple Login is built on top of that standard, one-size-fits-all custom login / token generation in Firebase. It is an abstraction layer intended to make it easy to generate Firebase Auth. Tokens, a secure way of sharing data between you and Firebase.
Once a token has been generated (via Simple or Custom login), you can begin using that token's payload in your security rules (via the auth variable). If you'd want your server to bypass security rules, simple generate a token with the admin privilege, or your Firebase secret. See https://www.firebase.com/docs/security/security-rules.html for more details.
I was recently looking around at some of the features my current web host offers, and am now wondering about a few things. Even if you can only answer part of this, I appreciate any help you can provide.
I have a domain, mydomian.com, and the host offers shared SSL so I can use HTTPS by using this address https://mydomain.myhost.com. The SSL certificate is good for *.myhost.com.
I don't know a lot about SSL, but I'm assuming this means that the data between site users and ANY domain on myhost.com is encrypted. So was curious if this meant that if someone else on the same host as me somehow intercepted the data from my site would they be able to view it, since they would also have a https://theirdomain.myhost.com address, which uses the same SSL certificate? I may have no idea at all, and this was pretty much a guess.
If HTTPS is used on a login page, but after logging in the other pages are viewed over HTTP, is this a security issue?
Is there any way to show a web form via HTTP for bots like Google, but have real users redirected to the HTTPS version? Would be ideal if this could be done via .htaccess. I currently have some rewrite rules that redirect certain pages to HTTPS, but the rest as HTTP. So if a visitor visits the contact form they get the HTTPS version automatically, but it automatically switches back to HTTP for pages that don't contain forms. So, via htaccess, is there a way to direct real users to the HTTPS version, but have bots directed to the HTTP version? I would like these pages to still be indexed by the search engines, but would like users to see it via HTTPS.
Thanks in advance for any help you can provide.
I'm going to guess you'll be okay for number one. If your host does it correctly, individual subdomains never get to see the SSL keys. Here's how it would work:
Some guy with a browser sends an encrypted request to your subdomain server.
Your host's master server receives the request and decrypts it.
The master server sends the decrypted request to your subdomain server.
And any HTTPS responses you send back go through that process in reverse. It should be easy to check if they've set things up that way: If you can set up shared SSL without personally handling any key files, you're good. If you actually get your hands on some key files... not good.
For two: If you encrypt the login, you protect the passwords, which is good. But if you switch back to HTTP afterwards, you open yourself up to other attacks. See: Firesheep. There may be others.
And for three. Yes - definitely doable. Check out mod_rewrite. Can't give you an example, as I've never used this particular case, but I can point you to this page - particularly the section entitled "Browser Dependent Content."
Hope that helps!
Every traffic is encrypted, when you use https:// as protocol. (Except for some uncommon circumstances I won't talk about here). An SSL certificate's purpose is to prove the identity of the server, by combining it's public key with an identity. This certificate is only usable with the private key that belongs to the public one. In your case it seems that this certificate as well as the key-pair is provided by your hosting provider. I guess that neither you nor the other customers on the host have access to this private key. That means that only your provider is able to decrypt the traffic. Since that's always the case (he's running the server, so has access to every data), that should be no problem.
In most cases it is a security issue. On every further unencrypted http-request the client has to provide some information of the session to the server. These can be intercepted and used by an attacker. (simply speaking)
The bots should support https, why not redirect them? Anyhow: The important part is not to provide the page containing the form via https. To protect your user's data you should take care that the response is transferred via https.