Whitelist http: content for Django application running SSL? - django

In my Djanog web application I have added SSL security. Now In the django application I have integrated an external API which is running over http://.
This is the error i get after calling the external API.
[blocked] The page at 'https://mywebsite.com' was loaded over HTTPS, but ran insecure content from 'http://api.external.com/moto.json?': this content should also be loaded over HTTPS.
Can anyone help me out here on how should i whitelist the required external domains. And I am running the application on Apache server. So will this have to be done in Apache settings or Django.

Unfortunately this is something that is being done at the browser as is not something you can control from your application or your web server.
Here is the help article from Chome that explains this behavior:
Websites that ask for sensitive information, such as usernames and
passwords, often use secure connections to transmit content to and
from the computer you're using. If you're visiting a site via a secure
connection, Google Chrome will verify that the content on the webpage
has been transmitted safely. If it detects certain types of content on
the page coming from insecure channels, it can automatically prevent
the content from loading and you'll see a shield icon Insecure content
shield icon appearing in the address bar. By blocking the content and
possible security gaps, Chrome protects your information on the page
from falling into the wrong hands.
The only way to stop this from happening is to access the API over HTTPS.

Related

Port blocked creating web app on AWS

I'm trying to create a web app on AWS and I'm running into port issues. I would like to have multiple apps providing different services on different ports. I've created a website (on the same instance) to receive a text query and pass it to my app on port 3000. The app listening on 3000 is written in CherryPy.
We are using a VPN to provide security for the AWS instance. When logged into the VPN, everything works fine. The web page loads, the query returns the correct data. When I disconnect from the VPN, or someone else goes to the page, the page still loads, but queries to the service time out.
I've used netstat to make sure the service is listening but I'm not sure what could be blocking traffic. I've worked through the CORS issues as evident by the fact it works when I'm signed into the VPN.
What can I check now?
When I disconnect from the VPN, or someone else goes to the page, the page still loads, but queries to the service time out.
My assumption is that the web server and the app are on the same server.
It sounds very much like the connection from web server to app is happening via a routed IP address rather than localhost. In addition to being slower, it's also hitting your firewall rules.
Configure the web server to access your app on localhost:3000 and the issue should clear up.
I actually got it working. I have an AWS instance with nginix and CherryPy. When the user goes to a web address, the nginix page loads with a form for a query string. When they submit a string, the string is POSTed to a CherryPy service running on port 3000. The CherryPy service does some computations and returns a result via JSON.
I thought I had opened up everything completely for testing, but I was having so many issues. It turned out that having CherryPy set
"Access-Control-Allow-Origin" = "*"
wasn't working, instead I needed to specifically set the origin of the calling page.

encrypting form data before submitting to server

I have developed a Django application and now want to make sure the POST data transmitted through the page is safe.
I have couple of questions about this?
I see SSL certificates being displayed on many webpages. How do I get this certificate?
Do I need to change anything on my submitted form to encrypt the data or should I change any settings on my webserver?
I know its a general question but it would be great if someone provides a good answer.
First off, the POST data transmitted through the page is never safe from an application perspective. You don't have control over the user of the website. SSL and HTTPS helps prevent man in the middle attacks to ensure the request from the client (browser) to your server is encrypted. The underlying data that is sent can be malicious, so you should always validate inputs.
Secondly, if you want to use HTTPS and SSL, which I highly recommend, you'll need to obtain a certificate from one of the providers out there and install it with your webserver, which I presume is apache. Typically your domain provider can help you with obtaining an SSL certificate for your domain from one of the main certificate authorities. Regarding the installation and setup, there is tons of information about this online as it's a common task. I'm not familiar with Apache configuration to provide any specific recommendations. You'll also want to have rewrite rules so that your site can only be accessed via HTTPS and if someone tries to use HTTP, it simply redirects to HTTPS.
Lastly, you don't need to do anything in your Django application as your webserver should handle the basic interactions between your server and client to validate the HTTPS requests.

flash app accessing webservice; "security error accessing url". crossdomain in place

I have a Flash app on SSL Internet Domain1 and web services on non-SSL Intranet Domain2. Firewall port 80 is open between them. A Crossdomain file is in place on Domain2.
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*" to-ports="*"/>
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>
I think that is pretty wide open.
I can access web services on Domain2 directly from Domain1 no errors.
When flash app loads, Fiddler shows WSDL is loaded. An Init function calls the web service to load a combobox. I never see that call in Fiddler.
Everything works fine on my dev instance, which is all on Domain2.
I'm 98% sure that its a Crossdomain issue, but 2% reserved for unknowns. I have looked at Crossdomain posts on many forums for weeks (really! it's a side project) and tried many different changes. Nothing has made any difference.
Any suggestions are hugely appreciated.
Thanks!
<allow-access-from> and <allow-http-request-headers-from> have a not well know attribute secure.
This attribute is there specifically to indicate if we authorize secure connections from an insecure domain (ie https from http); and its true by default (connection refused).
try with this crossdomain, it may solve your issue.
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*" to-ports="*" secure="false"/>
<allow-http-request-headers-from domain="*" headers="*" secure="false"/>
</cross-domain-policy>

AS3 flash can't make calls to http or https webservice on a facebook app

I have an iframe facebook application with a problem i am not able to solve, because i can't understand the source of it.
On the iframe there is a flash movie (in AS3) that makes https calls to a webservice (it basically calls an https address and waits for an xml response).
It is fine on 90% of the cases, but some clients are not able to run any calls and i can't understand why.
They install the app, load the flash movie, but it seems there is something that stops the flash from calling the https address.
Can you think of any reason?
An antivirus? a strict security setup on the browser?
Thanks for the help!
Loading XML files in Flash over an SSL Connection in Internet Explorer fails if the Pragma:no-cache or Cache-control:no-cache HTTP headers are set on the XML file.
Here is a helpful blog post about this: http://www.blog.lessrain.com/flash-loading-and-browser-cache-test-suite/

Do I need to use SSL on a web page if the web service already uses it?

Would a web page need to use SSL in order to prevent eavesdropping if it makes all requests through the web service that already uses SSL?
I am leaning more towards yes it would need to use SSL on the web page side as well but I am not confident.
Can someone explain to me why the web page would need it or not?
If nothing else, the parent page should be loaded through SSL as well to prevent any "mixed content" warning messages. Even if the service calls in the background are done via SSL, the main page won't show the usual SSL indicators, making users think it's totally unsecured.