When developing a single page web app (SPA), the development server typically runs on a URL such as http://localhost:3000, and frequently they make calls to APIs.
I work on an SPI that contacts a cookie-setting API (so that the browser can access secure content on CloudFront). The cookies end up being having the scope of some domain, say mycompany.com. Next, the SPA instructs the browser to fetch the secure content from, say cdn.mycompany.com and it dutifully includes the cookies, everything works. Except not in Safari! Because Safari blocks third party cookies (mycompany.com is treated as third-party from localhost:3000).
In Chrome and Firefox, developing locally works fine.
I know that when deployed, these cookies will not be third-party cookies because the SPA will be hosted at some-app.mycompany.com. In fact, I set up a self-signed certificate, edited my DNS routing and ran everything locally to prove this out.
My question: Can I switch off third-party cookie protection in Safari? just during development?
I don't expect my users to switch off the third-party cookie protection in Safari. This is just for dev: it avoids the need to set up self-signed certificates, modify local DNS, all the hassle of running https locally.
I've searched the web and looked in Safari preferences. "Block all cookies" isn't what I'm looking for, and "Manage Website Data..." is just for deleting cookies/cached data for specific sites.
Related
I'm currently working on a React project. The development server (Bottle/Python) for the project is hosted remotely, and my React dev-server is localhost. Part of the authentication process for the application involves setting a cookie on login, but because of same-site and secure rules that cookie is not being set, meaning that my dev frontend can't access any of the data that it needs.
Myself and the server engineer have added SameSite=None to the cookie as well as secure, but because my localhost is not https the cookie is still not being stored properly (I get the error message "this Set-Cookie" was blocked because it had the "Secure" attribute but was not received over a secure connection").
There are no issues when the app is deployed because everything is on the same domain, but for now we're stuck - we've been trying to solve the issue for several hours but can't seem to get it.
My question is - what is the best development practice if you need to access a non-local development server, but can't actually just have your own version of the server running on your local machine?
Do I:
Need to make my localhost https somehow?
Need to make the dev-server domain https?
Need to install the server locally because there's just no way to do this?
Apologies if this is a noob question, it would be great to have some advice.
Many thanks.
The short answer is:
No
Yes
No
You can run your app on http://localhost:port. Assuming response from your dev server has in response headers Set-Cookie of the cookie which has Secure flag, your dev server URL has to be https in order to have the cookie accepted by the browser.
I have this setup and it works just well.
Regarding CORS (as mentioned in the title of the question): you have to have you server configured to accept credentials and to have allowed origins configured. The client app when doing XHR request has to have withCredentials:true. Check the points 2 and 3 in my post for details.
Also note, that if you are using Chrome you can bypass for development purposes the requirement to have SameSite=None and Secure by disabling the flag "Cookies without SameSite must be secure", also detailed here
We're trying to set up a load balancer with HAProxy which will serve multiple backend web applications. The use case is something like this:
User browses to foo.com/app1
HAProxy sees that the cookie doesn't contain session information, and redirects to an authentication gateway (a single-sign-on page of sorts)
The auth gateway provides a form, where if the user successfully logs in, the gateway redirects back to HAProxy, with a COOKIE storing the session details
HAProxy now sees that valid session information is present and redirects to app1-internal.foo.com (the actual web application) with the same COOKIE - which is used further by the web application.
Our doubt is in the 3rd step. We would like to encrypt the cookie which the authentication gateway adds (via AES or similar). The problem is, that at the HAProxy end we can't seem to figure out how to decrypt it, since HAProxy doesn't seem to support decrypting headers (or even running an external C/C++ program that can decrypt it). So our questions are:
Can we decrypt AES encrypted headers at HAProxy itself (note that this is not an SSL connection) ?
Is HAProxy not really designed for this use case - is there a better tool for this purpose that you can suggest for us?
Many thanks in advance!
In my Djanog web application I have added SSL security. Now In the django application I have integrated an external API which is running over http://.
This is the error i get after calling the external API.
[blocked] The page at 'https://mywebsite.com' was loaded over HTTPS, but ran insecure content from 'http://api.external.com/moto.json?': this content should also be loaded over HTTPS.
Can anyone help me out here on how should i whitelist the required external domains. And I am running the application on Apache server. So will this have to be done in Apache settings or Django.
Unfortunately this is something that is being done at the browser as is not something you can control from your application or your web server.
Here is the help article from Chome that explains this behavior:
Websites that ask for sensitive information, such as usernames and
passwords, often use secure connections to transmit content to and
from the computer you're using. If you're visiting a site via a secure
connection, Google Chrome will verify that the content on the webpage
has been transmitted safely. If it detects certain types of content on
the page coming from insecure channels, it can automatically prevent
the content from loading and you'll see a shield icon Insecure content
shield icon appearing in the address bar. By blocking the content and
possible security gaps, Chrome protects your information on the page
from falling into the wrong hands.
The only way to stop this from happening is to access the API over HTTPS.
I have been assigned the task of not using SSL over the entire site. There is nothing on the site that's confidential, but the powers-that-be are required to have some sort of protection due to PCI compliance. As a compromise, I brought up using authentication over HTTPS (SSL) and allowing the rest of the site to run over HTTP.
Would it be possible to authenticate over HTTPS (SSL), via a web service like SOAP, then return to the browser over HTTP?
I have seen implementations that use SSO with CAS and Active Directory that are sessionless, which permit authentication via HTTPS and leave everything else in HTTP. I want to accomplish the same thing (auth via SSL only), but without SSO and Active Directory. I'm running Windows Server 2008 R2, Tomcat 5.5, and IIS 7.5.
Thank you very much for any help.
I have implemented secured login and signup in my website.It working.Now I want to test it.I am not sure how to test whether it is correctly secured.
If you want to test whether it breaks when used with SSL, you could easily test drive it by downloading and installing OpenSSL, follow this tutorial to create a self-signed certificate with OpenSSL, install your newly created certificate on your web server (Apache, if you are using LAMP or XAMPP) and finally restart your web server. Now you have SSL ready to be used, try to use your login form via https:// and see what happens. If a web browser like Firefox complains about your certificate, tell it to create an exception.
That is how you can test it over SSL, but as for the "whether it is correctly secured", things get harder. Make sure you have at least taken care of:
Session fixation
Cross-site scripting
Secure password storage (hashing)
SQL injections
Protecting against brute forcing with throttling or using CAPTCHAs
This depends what the website is made of, for instance if it's using Apache or if it's an home-grown server.
Verify the site is only accessible via HTTPS (if this is what is wanted)
Test an access via HTTP - verify behavior is as expected (could be redirection to HTTPS, error page or warning message ...)
Try to access the site without going thru the login page (i.e. forging URL)
Open a session, try to access it from another client without logging in.
Test for "obvious" passwords (test/test, admin/admin)
Verify you cannot login without empty username/password
Verify one cannot access the private key of the system
Verify one cannot access all files of the system (eg http://website.address/../../../../etc/passwd)
...
You can also use a website security test suite, see this list by insecure.org, there are commercial products and free/open source tools.
IMHO, you should not try to test SSL, as this is a third-party tool.