I have a django application (version 4.0.3) and I want to URL MASK some specific URLs using new purchased domains (in this case GoDaddy)
So what I want to do is:
www.originaldomain.com/url1 beeing masked with www.newdomain.com.
But when I redirect with mask in domain www.newdomain.com some HEAERS do not allow it (I know because GoDaddy tech support said me "something is blocking it").
If I do a normal redirect (301 or 302) it works, but not with URL Masking.
I tryied removing X-Frame-Option: Deny using a django decorator to the view but still not able to make it work.
Current response headers
HTTP/1.1 200 OK
Date: Fri, 22 Jul 2022 06:47:40 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Vary: Cookie, Accept-Language
Content-Language: es
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin
Set-Cookie: csrftoken=UJp7VSdbT7BnFmc9wKnFZeKSKWjtGbLcEaLEqrZ0MAj8NhU69MDjZQIgWj5LhnWw; expires=Fri, 21 Jul 2023 06:47:40 GMT; Max-Age=31449600; Path=/; SameSite=Lax
Set-Cookie: sessionid=bjtb3e42z9h9wd5tixsw3xpj23kiao1u; expires=Fri, 05 Aug 2022 06:47:40 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax
X-Clacks-Overhead: GNU Terry Pratchett
Content-Encoding: gzip
Server: PythonAnywhere
An explanation of how to find what is blocking it would also be very appreciated (like using
Related
I am creating a JWT authentication with Django and Nextjs.
I can implement the signup and login functionality, I can get the accessToken by logging in.
However, the response header is Set-Cookie is set in the browser(chrome, safari,firefox) even though there is a cookie.
What are the possible causes?
https://github.com/Git-Port/django-next
response header
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://localhost:3000
Allow: POST, OPTIONS
Content-Length: 715
Content-Type: application/json
Cross-Origin-Opener-Policy: same-origin
Date: Tue, 11 Jan 2022 04:34:59 GMT
Referrer-Policy: same-origin
Server: Werkzeug/2.0.2 Python/3.9.7
Set-Cookie: jwt-auth=〇〇; expires=Tue, 11 Jan 2022 05:34:59 GMT; HttpOnly; Max-Age=3600; Path=/; SameSite=None; Secure
Set-Cookie: csrftoken=〇〇; expires=Tue, 10 Jan 2023 04:34:59 GMT; Max-Age=31449600; Path=/; SameSite=None; Secure
Set-Cookie: sessionid=〇〇; expires=Tue, 25 Jan 2022 04:34:59 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=None; Secure
Vary: Accept, Cookie, Origin
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Environment
Django==4.0.1
Nextjs
Server Domain
https://127.0.0.1:8000
Front Domain
https://localhost:3000
settings.py | Django
CORS_ALLOW_ALL_ORIGINS = False
CORS_ALLOW_CREDENTIALS = True
CORS_ALLOWED_ORIGINS = [
'http://127.0.0.1:3000',
'http://localhost:3000',
'https://127.0.0.1:3000',
'https://localhost:3000',
]
index.js | Next
const login = async (data) => {
const res = await axios.post("https://127.0.0.1:8000/api/auth/login/", data, {withCredentials: true})
};
I have one normal Wordpress website on which I am trying to block requests to wp-json. I am aware that such requests go via the core of the Wordpress. My request looks like this:
[root#SV-CentOS-01 ~]# curl -i https://www.website.com/wp-json/wp/v2/users/1
When I add RewriteRule ^wp-json.*$ - [L,R=404] on top of my htaccess I get 404 server response and the API returns me the users of my website. Is there actually a way to achieve what I want via .htaccess or we need to make it the Wordpress way?
Example:
[root#SV-CentOS-01 ~]# curl -i https://www.website.com/wp-json/wp/v2/users/1
HTTP/1.1 404 Not Found
Date: Mon, 20 Sep 2021 14:14:13 GMT
Server: Apache
Vary: Accept-Encoding,Cookie,Origin
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Robots-Tag: noindex
Link: <https://www.website.com/wp-json/>; rel="https://api.w.org/"
X-Content-Type-Options: nosniff
Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages, Link
Access-Control-Allow-Headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type
Allow: GET
Set-Cookie: PHPSESSID=5c07eaa455457ca0ef4b358d016c3b8d; path=/
Upgrade: h2,h2c
Connection: Upgrade
Transfer-Encoding: chunked
Content-Type: application/json; charset=UTF-8
{"id":1,"name":"User One","url":"","description":"","link":"https:\/\/www.website.com\/author\/admin\/","slug":"admin","meta":[],"_links":{"self":[{"href":"https:\/\/www.website.com\/wp-json\/wp\/v2\/users\/1"}],"collection":[{"href":"https:\/\/www.website.com\/wp-json\/wp\/v2\/users"}]}}[root#SV-CentOS-01 ~]#
I'm trying to login through the http form, from DRF:
> https://my.site.io/api-auth/login/
Using httpie, i generate a session.json to get the CSRFToken:
$ http --session=why -h https://my.site.io/api-auth/login/
Referrer-Policy: same-origin
Server: nginx/1.18.0
Set-Cookie: csrftoken=dT2UuBjp7Xei2iqzmD9A9lNNaTZO8ZHHPh098I8mV27v56E0jePTPgQ0KC3LDmpE; expires=Thu, 02 Dec 2021 15:32:49 GMT; Max-Age=31449600; Path=/; SameSite=Lax
Vary: Cookie
X-Content-Type-Options: nosniff
I use the csrftoken from cookies and :
http --session=why -h POST https://my.site.io/api-auth/login/ username=user password=pass X-CSRFToken:dT2UuBjp7Xei2iqzmD9A9lNNaTZO8ZHHPh098I8mV27v56E0jePTPgQ0KC3LDmpE -p Hh
This is the out put (With both request and response headers):
POST /api-auth/login/ HTTP/1.1
Accept: application/json, */*;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 49
Content-Type: application/json
Cookie: csrftoken=dT2UuBjp7Xei2iqzmD9A9lNNaTZO8ZHHPh098I8mV27v56E0jePTPgQ0KC3LDmpE
Host: my.site.io
User-Agent: HTTPie/2.3.0
csrfmiddlewaretoken: dT2UuBjp7Xei2iqzmD9A9lNNaTZO8ZHHPh098I8mV27v56E0jePTPgQ0KC3LDmpE
HTTP/1.1 403 Forbidden
Connection: keep-alive
Content-Length: 3366
Content-Type: text/html
Date: Thu, 03 Dec 2020 15:33:37 GMT
Referrer-Policy: same-origin
Server: nginx/1.18.0
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
I tried to use X-CSRFToken instead of csrfmiddlewaretoken
I can perform the login through a browser, if a browser is working, i don't see as it can be a problem from the Django Rest Framework configuration. Maybe i'm doing something wrong with httpie
What can it be?
Thanks in advance.
I have a Django website with activated translations (django.middleware.locale.LocaleMiddleware),
I someone requests a non-existing page:
https://example.com/nonexisting
Django then responds with:
HTTP/1.1 302 FOUND
Date: Fri, 02 Sep 2016 09:15:45 GMT
Server: Apache/2.4.7 (Ubuntu)
Vary: Cookie,Host
Location: https://example.com/de/nonexisting
Content-Type: text/html; charset=utf-8
HTTP/1.1 301 MOVED PERMANENTLY
Date: Fri, 02 Sep 2016 09:15:45 GMT
Server: Apache/2.4.7 (Ubuntu)
Vary: Cookie,Host
X-Frame-Options: SAMEORIGIN
Content-Language: de
Set-Cookie: django_language=de; expires=Sat, 02-Sep-2017 09:15:45 GMT; Max-Age=31536000; Path=/
Location: https://example.com/de/nonexisting/
Content-Type: text/html; charset=utf-8
HTTP/1.1 404 NOT FOUND
Date: Fri, 02 Sep 2016 09:15:45 GMT
Server: Apache/2.4.7 (Ubuntu)
Vary: Cookie,Host
X-Frame-Options: SAMEORIGIN
Content-Language: de
Set-Cookie: django_language=de; expires=Sat, 02-Sep-2017 09:15:45 GMT; Max-Age=31536000; Path=/
Content-Type: text/html; charset=utf-8
The user receives in this order:
302,301,404
How can I achieve that the user directly gets the 404?
I have the following code to add a custom user-agent to my urllib2
self.url_target = (self.EntryText.get()) #it gets the url from a tkinter entry widget
self.request = urllib2.Request(self.url_target)
self.request.addheaders = [('User-agent', 'Mozilla/5.0')]
self.req = urllib2.urlopen(self.request)
Now a silly question. I would like to check if the user-agent is correct passed. How do I do this? By calling self.req.read() or self.req.info() I can't see the browser user agent.
For example, here below what I see from google.com. How can I check if the user-agent passed is python2.7 or my custom user agent
Date: Wed, 27 Aug 2014 11:50:41 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: PREF=ID=59cfdae71ba9d583:FF=0:TM=1409140241:LM=1409140241:S=22PjpHkFs493PNKQ; expires=Fri, 26-Aug-2016 11:50:41 GMT; path=/; domain=.google.it
Set-Cookie: NID=67=gOPu9-bAzk01ceW2ukTfpixWIIEl2TRUHKwfDAh5AU6ee-GTXoxBMAHbK6keLCXA5oG_R-9KhPVQ6wMScI28qf-dxqBPOLi66maz_QbBkXtkTpsUcVu-Yohg5-T8w8xz; expires=Thu, 26-Feb-2015 11:50:41 GMT; path=/; domain=.google.it; HttpOnly
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic
Connection: close
Thank you
Call this url - http://httpbin.org/headers
The source code will have your user agent. :-)
You can embedd this in your code as you want.
However for now all I want to show here in the code below is that this url will let you know your user agent,
stuff=urllib2.urlopen("http://httpbin.org/headers").read()
print stuff
{
"headers": {
"Accept-Encoding": "identity",
"Connection": "close",
"Host": "httpbin.org",
"User-Agent": "Python-urllib/2.7",
"X-Request-Id": "43jhc13b-3dj4-4eb5-8780-ad7cfs4790cd"
}
}
Hope that answers your question