I have https site on nginx.
If were sent http request on this domain, it redirects to https version. Exept one url, that send 301 redirect to another http domain.
My goal to add in browser's header field referrer, when it redirects through 301 redirect to another domain from http part of my site.
I know, that security rules drop referrer header, when browser goes from https to http. But from http to http it must work fine, isn't it?
If i just go from some http to another http page through hyperlynk, it save refferer on same browsers, that i used to test 301 redirect.
To add referrer from https to http
<meta name="referrer" content="origin">
Try to check situation into the postman, and read the headers if that works fine for you (HTTP referrers)
Related
We are implementing short URLs to redirect on our project.
I do an API request to my server using axios, with the info on the short url.
The server responds with a redirect status 308 succesffuly.
I see in the response headers, the location parameter (to redirect to) is correct.
And we have also set Access-Control-Allow-Origin: *
But the redirect does not follow through...
After recieving the 308; the browser attempts a preflight OPTIONS request to the redirect URL, followed by a GET request to the redirect URL.
Both of these return an error.
The preflight request error: CORS Misssing Allow Origin. And the GET request gives error: NS_ERROR_DOM_BAD_URI
Not sure what the issue is. Is it on the front-end, or on the server-side?
Any advice would be greatly appreciated!
I need to redirect request from nginx to another domain, below is a working solution for redirect request but it doesn't redirect Authorization header from original request, is it possible to redirect to another domain with all request headers from original request?
location /test {
return 301 https://test.com$request_uri;
}
Instead of using the return directive, which will issue a redirect to the client browser you can use the proxy_pass directive instead which will proxy the original client request to the remote server with the request headers intact.
Firebase fails to redirect any HTTP POST requests to HTTPS POST. EX:
POST / HTTP/1.1
Host: apis.mydomain.com
is redirected by Firebase NGINX to
GET / HTTP/1.1
Host: apis.mydomain.com
if you are explicit about https, then NGINX works properly: POST -> POST
So, when the request hits Firebase hosting, and redirects your request to a firebase function that can be accessed by an https endpoint, the method has the possibility of collapsing into a GET from a POST method.
Looking closer at the headers, inside the Firebase Cloud Function, the protocol always expresses as http, instead of https.
I'm assuming this is an internal issue that I cannot modify, however, this is an issue for what I am doing, and this definitely is a problem given I cannot modify the NGINX that is handling my http(s) requests.
If you redirect with a 301 or 302 status code, the POST is downgraded to GET.
You need to use a 307 status to maintain POST across the redirect. See this document for details.
On Nginx, you will need to use a return statement. For example:
return 307 https://$host$request_uri;
I'm playing a bit with HTTP requests with fiddler.
Basically the site is my router interface which asks for a password.
The password is then encrypted (with a function i have, branded MD5 of some kind) and passed to the server in the body of the POST request.
Here what i've done:
With fiddler i sniffed the browser GET request (got a redirection 302)
With fiddler i sniffed the server response
With fiddler i sniffed the browser POST request (after typing the password)
Browser successfully logged in.
then:
With fiddler composer i performed a GET request equal to the one sniffed. (got a redirection 302)
With fiddler i sniffed the server response (each time the site provides to the client a different Set-Cookie value which is used in the brand MD5 function for antiXRSF attacks).
With fiddler composer i reproduced the sniffed POST request with a different body content due to the new Set-Cookie value.
The body of the post request is indeed correct because it is calculated by the very same function used by the browser.
What came to my mind now:
I'm using the wrong Set-Cookie value --> not possible since if i try to guess the body content of a browser request with the available parameters, the guess turns out to be correct.
The redirection performed by fiddler is done without the Set-Cookie or with a different one --> i saw i can decide not to follow a redirect, is there a way to decide what to pass in the header during a redirection? I'll test more directly on the redirected url.
Regards,
The redirection performed by fiddler is done without the Set-Cookie
Correct. Fiddler's Composer does not have a cookie jar. If a call returns a cookie via Set-Cookie on a redirect, that cookie is not added to a Cookie header when the redirected request is sent.
I found that 301 redirect response in my web service written in PHP doesn't carry custom http headers and custom cookie values if the visit is the very first visit. What I am not sure is whether this is how 301 redirect is supposed to work or whether this is just a matter of how to write my PHP code?
If this is unclear, please clarify and I will make the question clearer. My question is on how http protocol is supposed to behave in this case.
It is possible to add custom HTTP headers to a 301 Redirect response (HTTP 301 Moved Permanently).
For an example of this, visit http://www.hotmail.com which is now redirected to http://www.outlook.com and carries some custom HTTP headers on its 301 redirect response.
ANY response can contain cookies and custom headers. There is nothing in the HTTP spec to prevent that.