I have an HTML5/JS website on on domain, which uses an asp.mvc web service for CORS queries on another domain.
Everything works fine with HTTP -> HTTP however as we are now adding login and authentication mechanisms for user specific content we are wanting to enable HTTPS. However it just refuses to send the options request to the web service, just gives an "Aborted" status.
I am testing using Firefox and the web service is hosted on IIS7 with a self cert (generated with SelfSSL7).
Is there any known issues around this? I did check:
Cross domain request from HTTP to HTTPS aborts immediately
However it mentions the solution is to make sure the cert is trusted, and to my knowledge SelfSSL is doing this using the /T option when I call it. So is there anything else which needs to be changed to get this working?
You will unfortunately need to manually set this in firefox, although I believe you can override this behaviour if you manually set the profile configuration.
Related
I'm new to Azure and trying to set up my nextjs client app and my ASP.NET Core backend app. Everything seems to play well now, except for file uploads. It's working on localhost, but in production the backend returns a 404 web page (attached image) before reaching the actual API endpoint. I've also successfully tested to make a multipart/form-data POST request in Postman from my computer.
The way I implemented this is that I'm proxying the upload from the browser through an api route (client's server side) to the backend. I have to go via the client server side to append a Bearer token from a httpOnly cookie.
I've enabled CORS in Startup.cs:
app.UseCors(builder => { builder.AllowAnyOrigin().AllowAnyHeader().AllowAnyMethod(); });
The frontend and backend apps are running in individual services and I've tried to enable CORS in the Azure portal as well, but there I could only allow origins, not headers and methods? The error message doesn't indicate CORS problems, but I just wanted make sure..
As far as I can see the requests look good, with correct URLs and origins. I suspect I'm missing some config in azure, but I didn't get any further by following the hints in the error message.
Any suggestions to what may cause this? Or where I can start looking. I'm not quite sure where to look for log output for this issue.
I finally got this working. I figured the host header in the proxy http request was unchanged. I only changed the URL for the proxy request, but I solved it by setting the host manually as well. This also explains why it was working at localhost, since both the client and backend was running at the same host.
I have been using Windows Azure to host some of our internal utility projects using Web App. When I create a new web app say "MyTestApp", the default URL created in portal will be:
"http://MyTestApp.azurewebsites.net"
Refer Image
However, when I click this URL, it will not open in browser. To fix it, I have to manually append "s" in the protocol to make it
"https://MyTestApp.azurewebsites.net".
I understand that by default, Azure secures the *.azurewebsites.net wildcard domain with a single SSL certificate, so the clients can access the app at
"https://appname.azurewebsites.net"
But I wondering why the portal display the non SSL URL (http). Is there a reason for that?
Update:
I tested it with Firefox too (based on suggestion in comments) and tried both hitting URL as well as Browse button. Since the URL is http, on new tab, it just say "waiting for MyTestApp..." and then "waiting for login.microsoft.com...".
However, when I click this URL, it will not open the WebApp in browser.
If we click the URL and the [Overview] table is fully loaded, then it will work correctly . We also can browse the website via click the [Browse] option.
why the portal display the non-SSL URL (http)?
This may be the topic about advantage and disadvantage of Http VS Https. Generally, one of the primary blockers for HTTPS adoption is the fact that the HTTPS protocol is slow. Here’s a very informative ServerFault thread showing just how big of a slowdown.HTTPS encrypts traffic between us and a server. It is more security than HTTP. And Azure also allow HTTPS access to our WebApp and support to enforce HTTPS on our WebApp.
How to prevent someone just taking my API keys from the client side javascript code and starting to use my HERE subscription for some other use.
I noticed HERE provide an option to secure the API keys for a certain domain on the applications management page: "Secure app credentials against a specific domain". I have set up this option and also put domain there but I do not see any change on my app behavior.
The application still continue working fine on my PC. Shouldn't the HERE API stop working as web server is running on localhost and not on the defined domain.
My app is running fully on browser, and only static files come from the server (http://localhost:8083/index.html). I am using the HERE javascript API.
I tested also running the app on external cloud service on different domain than localhost. Results are the same. My conclusion is that the setting "Secure app credentials against a specific domain" just has no impact and does not work. Checked also the api response headers and all origins are accepted.
Access-Control-Allow-Origin: *
In your HERE dashboard, you can set the application id and application code to only work on a particular domain or set of domains. If the tokens are fixed to a domain, it won't matter if someone takes your tokens because only the listed domains can use them. If you don't secure the tokens to a domain, then someone will be able to use your tokens if they find them.
I have some JS that is on some intranet application that's running on HTTP (this server/service is out of my control, run by the customer). I operate the internet application and it must run on HTTPS for security purposes.
I'm attempting to use XDomain but I'm finding that the cookies aren't being sent. Is the problem that I'm going intranet to internet or that I'm going HTTP to HTTPS or some configuration problem?
I keep getting 401 when checking authentication of the user even after they have logged in.
I've verified the backend/internet service works as expected via a jsfiddle (i.e. Access-Control-Allow-Origin, etc. are all correct).
Thanks!
There are some security related issues with XDomain that makes it strip any cookies according to no 5 in this msdn blog. However there also exist a workaround using proxy with example project on Github. I think everything you need to make it work are described in those two pages.
I have a web api application that I am considering moving to HTTPS. The reason is really just for the initial login where I would like to hide the username and password.
Once logged in do all other calls from the pages also need to be HTTPS? For example do my calls to CSS and scripts need to travel over HTTPS? How about WebAPI calls?
When referencing HTTP content from HTTPS pages, some user agents will issue warnings about "mixed content" or "insecure content" to the user, others may block the content (older versions of IE do that). GitHub solved this issue using ngnix as reverse proxy, so it serves the static content as HTTPS.
If you are only worried about the authentication, and it is cookie based, you can do the authentication in HTTPS and then get back to HTTP. The cookie will be shared as long it is not marked as Secure. Remember that both the GET request acquiring the login FORM and the POST call sending the login form should be HTTPS to be secure.
You can use the page in HTTP and do the AJAX calls in HTTPS: Ajax using https on an http page. Again, this may be useless if the auth form is not secure as well.
If your static content is hosted in a CDN, probably the CDN is able of proxying the requests to your site and return HTTPS content if required.
Static content served as HTTP won't be cached for when you request the same content through HTTPS, neither viceversa, so it will basically downloaded twice.
Also relevant, please check these 7 myths about HTTPS, specially myth #1. If you are worried about security, maybe switch completely to HTTPS is the best decision.