I have a PHP app in Heroku that references a javascript stored at a non-secure location. My developer tools are telling me that they won't load "Mixed Content".
How do I get Heroku to serve over HTTP instead of HTTPS?
If your app is served via HTTPS, there is no way you can force the external content to be loaded via HTTP. It would require a security downgrade, and the browsers refuses to perform such action.
The best solution is to make sure that even that JavaScript file is served via HTTPS. You can easily host it behind a proxy, or store somewhere where you can use HTTPS. Today is very easy to find an HTTPS-enabled storage system.
I don't think so you can achieve this on Heroku side. You have to manage this things on your side.
Thanks
Related
I have recently created a laravel project, and I am facing issues with it since I am trying to get it setup with SSL (Cloudflare).
What is the best way to redirect the user to the secured enviroment correctly in laravel 5?
Also, my CSS and JS are not beeing loaded in due to the fact that http is not allowed and my browser blocks the files from beeing loaded because they could be potential harmfull. (Which is not the case though, to be clear)
Can someone get me off the right track?
Redirecting your site users to a secure url (https://) should NOT be the job of the framework. This type of behavior should be handled on the DNS and A record level.
Redirecting from HTTP to HTTPS should be handled by the webserver.
Your assets are probably blocked because they are unencrypted (HTTP) on an encrypted site (HTTPS). You can solve that by using protocol relative URLs:
<script src=”//ajax.microsoft.com/ajax/jquery/jquery-1.3.2.min.js” type=”text/javascript”></script>
Note the // instead of http:// or https://. This will cause your assets to be fetched using the same protocol as the site.
Laravel has a helper function for secure assets: secure_asset()
http://laravel.com/docs/5.1/helpers#method-secure-asset
What is the best way to tell client browser to redirect to HTTPs page if and only if the browser support HTTPs protocol. That's mean that people still can access by using HTTP, but we enforce any user which browser that support HTTPs to use HTTPs.
FAQ
There is no clear motive to do such thing.
Currently, we force all of our user to use HTTPs. If they access to HTTP, they will redirect to HTTPs. The reason that we use HTTPs because it support "HTML5 Push Notification". This feature helps us retent our reader.
However, we also want to submit our website to Facebook Internet.org project which require us to functional without HTTP.
First of all, I don't think this question is actually related to PHP, it seems more like a Server Fault question. But anyway:
There is no clear motive to do such thing.
The only reason why you should imply users won't be able to open HTTPS requests are either because your server isn't SSL/TSL certificated or the certificate is invalid/outdated.
But even so, your client should access the content anyway, given browser's alerts and restrictions, individual to each vendor settings. Both HTTP protocol modes, secure or not, are available unless you set your server to deny the non-secure one after the SSL/TSL implementation, as answered here.
Unless we are talking about extremely old browsers, and by that I mean MS-DOS old, since Netscape released the protocol in Feb/95.
i have php proxy script which uses file_get_contents to get web sites and outputs it ...
everything is working as long as web sites are static, but as long as i use some sites that uses ajax requests to update it's content, lik twitter, 9gag, youtube ... new content doesn't get added
i get this error in console:
XMLHttpRequest cannot load http://9gag.com/new/json?list=hot&id=6408098. Origin is not allowed by Access-Control-Allow-Origin.
since 9gag site is now my local site served by my local proxy it can't access new content from original 9gag site, which this is cross domain issue ....
so my question is how do i take ajax requests and put them through my local proxy server?
This is a security feature. It is made to prevent such requests that you are trying to do. As I can see, you have only two possibilities:
Add site to hosts file to forward it to your proxy. It this way you have to ensure that your proxy responds correctly this way. But I don't know if there are some other checks browser-side except checking the domain. If only domain taken into account, everything will be ok.
Set OS to use your proxy site as a system proxy. This way you should make it to respond as a regular proxy server.
P.S. May be it is better to use some ready-to-use transparent proxy utility?
I'm not an expert and don't want to make a mistake, so please forgive me if the answer is obvious (better safe than sorry).
I finished a Flex app using FB4.5 and uploaded and tested it fine to a shared host. I'm now in the process of securing the app using https, but have landed in a quagmire.
First:
I forced the load of all pages to https with .htaccess so that the Flex app loads with SSL. Problem is that I get a connection failed ('BadVersion') when the app makes a data service call using the gateway.php file because of the .htaccess force (it is looking for http rather than https). I believe I can hardcode the https path in the Flash Builder class file, but I don't want prevent the app from working on my dev machine either. Any thoughts here?
Also, even if the gateway.php file is called using SSL, will the following calls to the PHP files containing the actual SQL queries fail because of the forced SSL by the .htaccess directives.
Second:
Instead of using .htaccess, I have also successfully used PHP to secure the initial launch of the app with a https redirect statement in the beginning. This allows the app to work, calling the gateway.php file fine because it isn't forcing https on everything. BUT, this defeats the purpose of trying to get everything to be encrypted.
Third:
Is is it necessary to have the gateway.php file launched on SSL because of transmitting in binary AMF?
Thoughts? Explanations? Things I'm missing. Suggestions?
Thanks in advance.
If your AMF calls are going over HTTPS, then you need to use a SecureAMFChannel rather than a vanilla AMFChannel.
Typcially this is configured either in the client, where you have declared your RemoteObject or ChannelSet, or in the services-config.xml file.
Most likely, this mismatch is what's causing the BadVersion error you're getting.
I've got a web app and now I've been told to implement SSL for that. I've never done that before, but I seem to have understood from Internet docs on how to do that.
But, my app has two sides: the user interface which is fine under SSL and the second side is I have some files that need to bypass the certificate. These files are accessed by remote machines and share the same libraries of some user interface files.
I've managed the bypass using symbolic links for the shared libraries but I'm not sure if this is the proper way to do it. I mean, if I don't use symbolic links to the shared libraries I can't use these scripts.
Thanks in advance for any light!
Do you mean you are calling the web pages from another machine but you want to bypass the cert? You can usually use curl for this: curl --no-check-certificate {url}
Otherwise you can probably just call those files without the 's' in the scheme (https / http) and be fine.