This might be a bit of a noob question, but anyway ... I am developing an app using Flask and Virtualenv. As I understand, the server running at http://127.0.0.1:5000/ is not externally visible by default. I am assuming that this means that any information sent to the server (even though it is by an unencrypted http connection) is therefore secure. I can't seem to find much through Google that addresses this, so I just wanted to try to confirm that it is the case that all information sent to the localhost server is secure.
Many thanks.
If your localhost is secure i.e. not compromised and your local network configuration does not allow requests to your localhost's port 5000, then i'd recon it's pretty secure.
Related
I'm currently working on a React project. The development server (Bottle/Python) for the project is hosted remotely, and my React dev-server is localhost. Part of the authentication process for the application involves setting a cookie on login, but because of same-site and secure rules that cookie is not being set, meaning that my dev frontend can't access any of the data that it needs.
Myself and the server engineer have added SameSite=None to the cookie as well as secure, but because my localhost is not https the cookie is still not being stored properly (I get the error message "this Set-Cookie" was blocked because it had the "Secure" attribute but was not received over a secure connection").
There are no issues when the app is deployed because everything is on the same domain, but for now we're stuck - we've been trying to solve the issue for several hours but can't seem to get it.
My question is - what is the best development practice if you need to access a non-local development server, but can't actually just have your own version of the server running on your local machine?
Do I:
Need to make my localhost https somehow?
Need to make the dev-server domain https?
Need to install the server locally because there's just no way to do this?
Apologies if this is a noob question, it would be great to have some advice.
Many thanks.
The short answer is:
No
Yes
No
You can run your app on http://localhost:port. Assuming response from your dev server has in response headers Set-Cookie of the cookie which has Secure flag, your dev server URL has to be https in order to have the cookie accepted by the browser.
I have this setup and it works just well.
Regarding CORS (as mentioned in the title of the question): you have to have you server configured to accept credentials and to have allowed origins configured. The client app when doing XHR request has to have withCredentials:true. Check the points 2 and 3 in my post for details.
Also note, that if you are using Chrome you can bypass for development purposes the requirement to have SameSite=None and Secure by disabling the flag "Cookies without SameSite must be secure", also detailed here
I'm using a local server for django dev and ngrok tunnel for webhooks. I've seen other localtunnel services like serveo. Can these services see your source code? Are they forwarding your local files to the ngrok server or just handling requests on a public domain and then securely fetching from your local server?
I've read about how ngrok creates a proxy and handles requests, but I still don't understand what exactly tunneling involves
It depends.
They certainly don't copy your django code and run it on their own server and they're not going to maliciously grab files off of your machine.
They just read from a network socket, but they do vary as to how encrypted they are or aren't.
Telebit
Telebit always uses end-to-end encryption via SSL, TLS, HTTPS, or Secure Web Socket (WSS)
TLS certs happen on the clients, not the relay
Works with SSH, OpenVPN, etc - but requires a ProxyCommand / secure client
(i.e. sclient, stunnel, or openssh s_client)
Can work with other, normally-unencrypted, TCP protocols (requires a secure client)
There is a poorly documented and deprecated feature for raw TCP, which can be seen, if used.
Serveo
serveo uses ssh port forwarding, which encrypts between the local server and the relay, but not the relay and the remote client
the origin traffic may be encrypted or unencrypted
ngrok
ngrok used to decrypt on their server, with an option to specify SSL certs manually they may have switched to full encryption since
A deeper dive
If you want to know more about their workings, you may (or may not) find this other answer I wrote informative and digestible: https://stackoverflow.com/a/52614266/151312
I found vortex is good fit
Just download and run
https://www.vtxhub.com/
I'm trying to connect to a domain that seems to have Akamai tech.
I can't connect and nor does curl - but the browser does.
So I assume the IP address is not blocked.
Reading up - it seems that Akamai runs some algorithms and doesn't allow connections sometimes.
But since a web browser works (from same pc) - I assume it can be made to work.
Any tip?
Your question is quite wage. Akami WAF will not allow curl unless you have white-listed your IP address. Browser connect is just TCP connection on port 80, 443. Which http method did you try to access and is that method allowed? By default i believe only GET and POST are allowed.
I have a web application hosted on an external server. I would create a communication beetwen my home server and the web application.
I thought something like that:
my home server send its ip to the web application
the web application send data to the home server
my home server send back some data
I want to implemente a P2P communication between the WebApp and the home server
it would be bettere if the communication is encrypted
i dont want to use dynamic dns
Is there something to implement that?
There are several types of IP. It can be "grey" and "white".
"Grey" means that your computer can't be accesses through it.
"White" IP's can be accessed directly. Also there are dynamic IP's
that changes through the time. It all depends from the provider.
It's possible that you have "white dynamic" IP but it's pretty rare
for providers to do.
It's easier to connect to server because it
always have "white" permament IP.
TCP/IP already does most of the work. You just create tcp connection and it stays. You just think about sending data.
My suggestion for you is to create something like this:
Home server connects to WebApp
Home server requests some data and WebApp sends back data
Home server sends request containing data and server respondes that all is ok
So you have client-server model. And client always does only requests and server does only responses. And they do not switch. It's easier to maintain.
There is common technology of doing that and it includes encryption too.
You should use HTTPS protocol. Https will do all the encryption(and safely exchange keys too) you just worry about certificates(there are ways not to buy certificate but sign them by yourself. It's whole another topic)
So you will send https requests from your home server PC(client) and get responses from server(webApp).
As you write on Python you would find this answer helpful for you:
HTTPS request in Python
I'm trying to create a web app on AWS and I'm running into port issues. I would like to have multiple apps providing different services on different ports. I've created a website (on the same instance) to receive a text query and pass it to my app on port 3000. The app listening on 3000 is written in CherryPy.
We are using a VPN to provide security for the AWS instance. When logged into the VPN, everything works fine. The web page loads, the query returns the correct data. When I disconnect from the VPN, or someone else goes to the page, the page still loads, but queries to the service time out.
I've used netstat to make sure the service is listening but I'm not sure what could be blocking traffic. I've worked through the CORS issues as evident by the fact it works when I'm signed into the VPN.
What can I check now?
When I disconnect from the VPN, or someone else goes to the page, the page still loads, but queries to the service time out.
My assumption is that the web server and the app are on the same server.
It sounds very much like the connection from web server to app is happening via a routed IP address rather than localhost. In addition to being slower, it's also hitting your firewall rules.
Configure the web server to access your app on localhost:3000 and the issue should clear up.
I actually got it working. I have an AWS instance with nginix and CherryPy. When the user goes to a web address, the nginix page loads with a form for a query string. When they submit a string, the string is POSTed to a CherryPy service running on port 3000. The CherryPy service does some computations and returns a result via JSON.
I thought I had opened up everything completely for testing, but I was having so many issues. It turned out that having CherryPy set
"Access-Control-Allow-Origin" = "*"
wasn't working, instead I needed to specifically set the origin of the calling page.