I know I can use POST to hide the parameters in the url, but the data can still be seen in the network tab when I inspect element. Is there a way to completely hide what data is sent?
So no one can intercept the data.
let's use HTTPS protocol, attacker can capture data but they cannot read them.
You should use encryption. This involves enabling SSL over the HTTP connection. You will need to configure your server for this if it's not configured for it already.
Using HTTPS (SSL over HTTP, also known as Secure HTTP) allows your data to be sent and received over a secure connection.
If you're using the Developer Tools of WebKit (Google Chrome, etc.) then you'll always be able to see the data because you're the one making the request. It doesn't hide the data from you.
Related
I am using django as backend API and ajax for making api call.my main site runs on https but the api on http . i am unable to make api calls from ssl cert loaded onto ngnix.
is it possible to make ajax calls from https to http ?
any leads will be appreciated ?
thnks in advance ..!!
The only difference between HTTP and HTTPS is the SSL security part, if your server is able to handle HTTPS requests they will be send through to the API just like any other HTTP request, it's only the actual data communication from the client socket to the server socket that is affected, once the data is received it's back in plain text (or it's original format) again.
Your browser will stop this and/or give an insecure warning and a padlock symbol for your HTTPS connection.
HTTPS indicates the site is secure, which gives certain guarantees to the visitor - namely that the site is for the given domain (authentication), that it's not been intercepted and changed (integrity) and that no one else is able to listen in to your messages to and from the server (confidentiality).
When you add an insecure resource like an api call, those guarantees are no longer there and so the browser will give a "insecure" warning, typically with a yellow warning padlock (instead of green) and/or a pop up.
Browsers used to differentiate between inactive content (e.g. images) - which were seen as less of a risk and so allowed, and active content (e.g. JavaScript) - which were potentially dangerous and so not allowed, however don't think they do any more. Even if they did Ajax XHR calls are definitely in the latter category.
Best option is to proxy pass the request through your main site domain through Nginx (e.g. forward requests to https://example.com/api from Nginx to your api using Nginx config).
As of current, are there still any methods to spoof HTTP referer?
Yes.
The HTTP_REFERER is data passed by the client. Any data passed by the client can be spoofed/forged. This includes HTTP_USER_AGENT.
If you wrote the web browser, you're setting and sending the HTTP Referrer and User-Agent headers on the GET, POST, etc.
You can also use middleware such as a web proxy to alter these. Fiddler lets you control these values.
If you want to redirect a visitor to another website and set their browser's referrer to any value you desire, you'll need to develop a web browser-plugin or some other type of application that runs on their computer. Otherwise, you cannot set the referrer on the visitor's browser. It will show the page from your site that linked to it.
What might be a valid solution in your case would be for you to load the third party page on the visitor's behalf, using whatever referrer is necessary, then display the page to the user from your server.
Yes, the HTTP referer header can be spoofed.
A common way to play with HTTP headers is to use a tool like cURL:
Sending headers using cURL:
How to send a header using a HTTP request through a curl call?
or
The cURL docs:
http://curl.haxx.se/docs/
Yes of course. Browser can avoid to send it, and it can be also "spoofed". There's an addon for firefox (I haven't tried it myself) and likely you can use also something like privoxy (but it is harder to make it dynamically changing). Using other tools like wget, is as easy as setting the proper option.
How safe is it to pass passwords / username in POST or GET requests to an external server?
I will use PHP / CURL and I have second toughts about security.
Alternatives will be considered aswell!
If you use HTTP without SSL encryption, everything is transmitted in the clear, which includes the full URL, the HTTP request/response headers, and the body of the POST request and response.
If you place a password in the GET parameters, it will additionally be displayed in the address bar and quite likely saved in browser history, proxy server logs, and sent to other websites in the referrer header. Sending the password in the POST body or in the standard Authorization header avoids this obvious problem, but it is still visible to an observer who can sniff or proxy your traffic.
Digest Authentication avoids transmitting the password in the clear, and only a non-reusable signature is exposed to the outside observer. It is still vulnerable to man-in-the-middle attacks; see HTTP Digest Authentication versus SSL.
The correct solution is to use an SSL certificate and exclusively use HTTPS. When you do so, the URL string, HTTP headers, and POST body are all encrypted, and the browser verifies that no third party is operating a server in the middle. HTTP Basic Authentication is permissible in this case.
By themselves, not necessarily. You shouldn't use GET for things aside from queries, in general because they can get stored on the user's browser. POST is relatively easy to encrypt using libraries, as you shouldn't implement your own encryption.
Also, if you get an SSL, that would help. If you use HTTPS (rather than HTTP), then it will be even more secure.
You didn't give many details as to what the page was (read: the language) so I can't really recommend a good encryption library, but just Google it and I'm sure you'll find something.
In our site, Some pages are SSL and some are non-SSL.
For Example:
http://www.example.com/search/patients
https://www.example.com/patients
Now I am searching patients on http://www.example.com/search/patients page and send server request to https://www.example.com/patients via jQuery $.ajax function and dataType=json. I am unable to get data.
Questions:
Should I use jsonp when we request from http to https or https to http on same server?
If I use SSL for both URLs then will it work with dataType=json only
Thanks
Due to Same Origin Policy your ajax request is allowed only if:
domain name, application layer protocol, and (in most browsers) port
number of the HTML document running the script are the same
In your case the application layer protocol is different, that's why your script fails.
Possible solutions are:
JSONP, which has to be provided by the server
CORS, which is a more 'elegant' and clean solution, but is not yet fully supported by IE (IE7 doesn't support it, IE8 has some limitations)
If you use SSL for both URLs it should work. Also as #Waqas Raja suggested, it would be better to use relative URLS.
e.g. $.ajax({url: '/search/patients'})
You need to use either CORS, a proxy or JSONP to get content from a different origin. Changing scheme (from http to https or the other way around) is changing origin.
Pulling data from a secure server into an insecure page eliminates many of the benefits of using SSL.
If you fetch both the page and the data source over SSL then you can use plain JSON and don't introduce those security problems.
How would you use https ?, would sending information via GET and POST be any different while using https ?
Any information and examples on how https is used in php for something simple like a secure login would be useful,
Thank you!
It will be no different for your php scripts, the encryption and decryption is done transparently on another layer.
Both GET and POST get encrypted, but GET will leave a trace in the web server log files.
HTTPS is handled at the SSL/TLS Layer, not at the Application Layer (HTTP). Your server will handle it as aularon was saying.
SSL and/or HTTPS is used to provide some level of confidentiality for data in transit between the web users and the web server. It can also be used to provide a level of confidence that the site the users are communicating with is in fact the one they intend to be.
In order to use SSL, you'll need to configure these capabilities on the server itself, which would include either purchasing (an authority-signed) or creating (a self-signed) certificate. If you create your own self-signed certificate, the level of confidence that the site is the intended one is significantly reduced for your users.
PHP
Once your webserver is able to serve SSL-protected pages, PHP will continue to operate as usual. Things to look out for are port numbers (normal HTTP is usually on port 80, while HTTPS traffic is usually on port 443), if your code relies on them.
GET & POST Data
Pierre 303 is correct, GET data may end up in the logs, and POST data will not, but this is no different than a non-SSL web server. SSL is meant to protect data in transit, it does nothing to protect you and your customers from web servers and their administrators that you may not trust.
Secure Login
There is also a performance hit (normally) when using SSL, so, some sites will configure their pages to only use https when the user is sending sensitive information, for example, their password or credit card details, etc. Other traffic would continue to use the normal, http server.
If this is the sort of thing you'd like to do, you'll want to ensure that your login form in HTML uses a ACTION that points to the https server's pages. Once the server accepts this form submission, it can send a redirect to send the user back to the page they requested using just http again.
Just ensure you're sending the correct headings when allowing files to be downloaded over ssl... IE can be a bit quirky. http://support.microsoft.com/kb/323308 for details of how to resolve