Secure browsing is not supported in my app - facebook-graph-api

I have an old application that I'd like to get running again. I've updated the Facebook PHP-sdk to the latest version (I think) and everything is working for most users. Except those using secure browsing.
My app simply tell me that:
This application does not yet support secure browsing (HTTPS).
How do I fix this? I've looked though all the settings in the app-page and I can't figure it out.

You need to purchase and setup an SSL certificate and then plug your https url into your app's settings page. See their migration guide where it says this is now required.

Related

POST request error: NSURLConnection HTTP load failed iOS 10

I'm new to iOS programming. I want to connect my app to my web service (HTTPS).
Why is XCode telling me this error when I run POST request with 'Alamofire 4.0' in iOS 10?
This error doesn't appear when I use iOS 9 simulator. I've tried various ways as people say on stackoverflow and none of them solved my problem.
Update:
I have added this inside my info.plist, and still get the same error.
How to implement ATS in iOS 10?
Thanks in advance.
In my case, I changed the SSL certificate on my API domain with the trusted one as mentioned by Apple in this link.
App Transport Security (ATS) enforces best practices in the secure connections between an app and its back end. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt; it is also on by default in iOS 9 and OS X v10.11. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.
If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forward secrecy. If you try to make a connection that doesn't follow this requirement, an error is thrown. If your app needs to make a request to an insecure domain, you have to specify this domain in your app's Info.plist file.
Please for more details refer Apple Document.
You need to do changes inside your Info.plist
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
open Info.plist file like
Add TransportSecurity inside
or
Check your Mobile network, Mostly this is the reason.

Django Allauth and Google

I've tried to add google login to my web application using django-allauth.
I added to my google application the following callback_uri:
"http://localhost:8000/accounts/google/login/callback"
since i'm running tests on my development server (localhost) and i don't wanna use https.
Even though, i get a 'redirect_uri_mismatch' saying that my redirect URI doesn't match any registred redirect URI.
Does anyone have any ideea about what causes this?
Thanks for your time.
Later Edit:
Using 127.0.0.1 instead of localhost solved this problem.
Recently I ran into problems trying to get Google+ to work as well. I finally got it working. I made some updates to the documentation so it's a bit easier to use. See if using the updated allauth google docs you can get it to work.
Have you try doing the following:
1. Go to the Google Developers console -> Api $ auth -> credentials
2. You should see "Client ID for web application" click "Edit Settings"
3. Change your "Redirect URI" to "http://localhost:8000/accounts/google/login/callback"
Should work after that let me know if it doesn't.
Cheers,
Dan

Proxying external images for SSL compliance

I've got a little Django site in which users can link to images on other sites in their comments. It's by no means a core feature.
I've just moved the entire site to SSL. That has worked fine for the most part but remote images are obviously not always going to be available over SSL. Only the slightest number of domains have valid certificates.
What's the best way to funnel images through then?
Download them when the user posts and alter the URL to a local one?
Make a proxy that just proxies another URL?
The second seems like less work (I feel like it would be possible just with NGINX rules) but that it would also open the site up to people using my proxy for their own nefarious gain... Which I'd like to avoid.
What's the best compromise here?
Github ran into this same issue when they moved to HTTPS everywhere and detailed it in their blog: https://github.com/blog/743-sidejack-prevention-phase-3-ssl-proxied-assets
Their solution was to create a proxy server which they open sourced as https://github.com/atmos/camo To address the same concerns about abuse of the proxy it is deployed with a shared secret with the application server. Integrating this would a Django project would be straight forward as you would just need to generate the digest from the shared key for the given image url.

Authentication with apache2 php pages and tomcat REST calls

Hello smart people on stackoverflow,
I would be very happy if someone could point me to the right libraries/frameworks to do what I want.
We have the following web architecture set up.
1. We have a tomcat server that offers REST services.
2. We have an apache2 server that serves up php pages to users.
a. Some of these php pages make REST calls to tomcat for data.
b. Other php pages contain javascript that makes REST calls that are routed through apache2 via mod_proxy to tomcat. e.g. All request to http://myapache.com/PASSTOTOMCAT/rest/getSecureData would go to tomcat.
Now, I'm asked to add authentication to everything, both the user pages as well as the REST calls. It would obviously be ideal for the user to sign-in once for access to both.
What library can I use for this? I don't think I can use any php-based solution (ie. one that involves adding a ) because the pass-through url's won't have a chance to add this code and check for authentication. I think I need to use something built into apache2 itself.
One minor requirement is that I would like the user credentials stored in a mysql database as opposed to a file.
Am I over-thinking this?
Thanks in advance
Well it's been 5 days, so I guess I'll answer my own question...
I ended up using the new mod_auth_form for authentication because it lets you use a nice stylized webpage to log users in.
I also used mod_dbd to access user credentials in mysql.
I couldn't find a nice tutorial on this so I struggled through the installation and setup a bit, but if anyone cares, I created a set of instructions on my blog in case anyone else tries to do the same thing.
Installation
Setup

How to set up Django app to make cookies work on subdomain

I have deployed my application on subdomain.domain.com (it works only on that one subdomain). Everything works fine except the fact that from time to time users cannot log in to application (the message "Looks like your browser isn't configured to accept cookies. Please enable cookies, reload this page, and try again" is shown when trying to log into admin panel). I've noticed that restarting the web server eliminates this problem for some time.
Does anyone have experience with setting up django project on subdomain and can guide me how to configure my application to make it work correctly without need to ocasionally make reset?
I'd tried to set up SESSION_COOKIE_DOMAIN = 'subdomain.domain.com' setting but it didn't solve the problem (maybe I set it wrong?)
I use Django 1.1.1, Python 2.5.4 for this project. Project is deployed in provider I use for other projects and cookies works there perfectly. Other projects run also on subdomains and do not have SESSION_COOKIE_DOMAIN set at all.
in your settings do you have SESSION_COOKIE_DOMAIN set? If so, is it set to something that isn't the domain the site is operating on?