I can't seem to find anything definitive, with the HTTPS migration, what will happen to existing apps that are just on HTTP? Will they cease to work? Or is it just a case that any new apps will need to be on HTTPS and the old ones will be fine?
If I read rightly I think it's a case that all existing apps will need to be converted.
Cheers guys
From what I understand, any existing apps that haven't entered a secure url will be disabled. My guess is they'll be stuck in sandbox mode until you enter that url.
I just set up a test app today that embeds into the canvas. I found that while it requires it to be HTTPS, it doesn't care if you use a self-signed certificate, so they're not insisting that users spend money to keep using their canvas apps.
Related
I have developed REST API in core php. This APIs are used in mobile app to fetch data from server.
Now we have a situation where 10000 users are using the app at the same time. When all this users are on app at same time, the server(Amazon EC2 UBUNTU 12.04) fails.
In order to solve this, we have decided to use CloudFlare. After lot of research, it is still not clear how to use cloudflare to cache the response coming from APIs.
Below are few links that I have followed so far:
https://support.cloudflare.com/hc/en-us/articles/202775670-How-Do-I-Tell-Cloudflare-What-to-Cache-
https://blog.cloudflare.com/introducing-pagerules-advanced-caching/ .
We have already set CNAME and HOST details on our CloudFlare account. Can someone help me to know what implementation is needed. Or if this is possible at all or no?
After a lot of research, I found that it is possible to cache the response of REST API. We just need to create a custom page rule.
Just in case someone else is facing the same issue then follow below steps:
1) Get the domain name for your URL. For example, if your API URL is http://xx.xx.xx.xx then you need to get a domain and link it so that your API URL can be http://domainname/...
2) Since the data is not HTML content or CSS, you should create a custom page rule. It is detailed very nicely by cloud flare but is hard to find the link. SO here is the link for the same: https://support.cloudflare.com/hc/en-us/articles/115000150272-How-do-I-use-Cache-Everything-with-Cloudflare-
The entire setup with Cloudflare is done and the performance of my server has improved drastically. We just need to follow the steps carefully!!!
I'm building application that uses components from Facebook API, and there are certain requirements so app could go to review. I solved other requirements and I'm not quite sure do I need a HTTPS or it could work with HTTP just fine?
You only need https if you create a Page/Tab App or a Canvas App. Check out the App Settings, those platforms specifically ask for a https link.
Working with http is fine, Token security is done best with appsecret_proof. It does not really matter if you use http or https for that.
That being said, having https is better than not having https. But the question was "do i need it", so...see my very first sentence :)
I don't know specifically about facebook rules but:
If the front end (javascript) has access to token to identification the user, maybe you should use https to protect that token.
If you manipulate personal data of the user, then in a lot of country (in European countries for example) you have an obligation of protection.
As https protect your website against unwanted modifications (ISP injecting Ads) and protect your users, in 2016 the question is less "should I use https?" and more "do I have a good reason not to?"
I'm working on core php. I want to use recaptcha for my form. I downloaded recaptcha from this link. It works fine but when I switched off my internet connection it's invisible on my local.
Is it possible to use recaptcha on my local server?
https://www.google.com/recaptcha/api.js is the reCaptcha js controller that makes all the reCaptcha management.
It is loaded from google server once and you might pre-load it and plug in locally. Yet, all the verification is done server-side by google, so you can't actually click recaptcha off-line, nor verify human-bot, neither submit a form.
Read more on reCaptcha v2.0
Recaptcha is a service. Each request is handled by a foreign server, so no chance without an internet connection.
btw: A website without internet connection is not a real scenario ;)
If you use external services, you must have a chance to reach them.
The only solution I could think of is to provide a configuration or environment variable what would disable the use of recaptcha entirely. When you are working without Internet connection you would simple enable that configure option and develop your application without recaptcha.
Well recaptcha is basically a google service and ofcourse it requires internet connection,wehreas if you want to work with captcha on your local server then try this link Captcha.
It works on your local server too :)
Your Question is somehow strange. I think you have not the slightest idea what recaptcha is. Recapcha is a defense tool to block access to a online content to bots and other not human clients. If you switched off your internet connection you have absolute closed any possibility that a bot access your online content.
On the other hand if the bots and the automatic non-human visitors are inside your intranet you are a very special case, and probably you should tell us more about your very special case.
I think if we are able to download the recaptcha/api.js file, and then store it on our local machine as we do with some of other js file, then can we still not able to use the service without internet.
during using google recaptch we say this in the head section.
https://www.google.com/recaptcha/api.js'>
but from where to download the js file and to like this
I've been experimenting with OpenID, and have set up a sample web page to access using my OpenID account. I'm using the Php OpenID Library by Janrain and it wasn't working with my Google Account. A little research led me to this question, which suggests the problem is that Google uses https and...
... it's likely the setup for making HTTPS requests is borked on your PHP server. Check to make sure you have the ca-certificates package installed.
In the same thread, someone links to their hacked version of the library which I deployed and have used with my Google Account successfully. Other questions have other customizations to get around similar problems (Janrain’s PHP-OpenID and Google/Yahoo, php-openID doesn’t work with Yahoo!, Example usage of AX in PHP OpenID...)
I'm not too hot on security, so I ask; does anyone know of a reason to not use these hacked versions?
Does the original library have whatever shortcoming these hacks fix by design, and therefore the hack is a potential security vulnerability?
Is there a qualified crypto-ifier out there who has looked at any of these solutions and gone "By David Chaum's beard! NO!!"
If so - and I therefore shouldn't use any of these hacks - how would I check that I "have the ca-certificates package installed"?
Here's what the author of one of those "hacked" versions wrote:
In particular CURLOPT_SSL_VERIFYPEER
and CURLOPT_SSL_VERIFYHOST are true by
default: I set them to false and it
worked for the test page!
The effect that has is to pretty much negate any security advantage offered by using HTTPS. The primary reason HTTPS is useful in OpenID is that it guards against a man-in-the-middle attack, i.e. some bad guy poisons your DNS cache to send all google.com requests to bad-guys.example. With properly configured HTTPS, you'd verify the certificate on the connection, find out it wasn't from Google, and say "I'm not going to believe anything you say, bad-guys!"
Unless, of course, you don't verify any certificates (you set all the SSL_VERIFY options to false), in which case your server will believe everything bad-guys says as if it were the real Google provider. You can imagine how that might be bad.
Now, frankly, this isn't the worst choice you could make, because it's no worse than just using HTTP, which a lot of people do anyway. You're just lying to your users if you imply that you're providing HTTPS-level security when you're not.
And there's a lot of information out there about how easy it is or isn't to do a dns-based attack, or how easy it is to forge SSL certificates. Either way, it does require someone to attack the connection between your server and Google, which is generally harder than attacking the connection between the user's laptop in the coffee shop and your server.
But still, much better to actually fix your PHP or CURL SSL configuration. Or if you don't, warn your users of that when they sign up with HTTPS identifiers, so they can choose if they really want to use that OpenID with your site.
Which leads to your second question. I think, not knowing anything about which server platform you're using, the best thing I can do is to link you to the Curl docs on SSL certificates; see the section that says "Get a better/different/newer CA cert bundle!"
From the Wikipedia article on Certificate Authority:
A CA issues digital certificates that contain a public key and the identity of the owner. When an end-user tries to access an unknown URL, the web browser (e.g. Mozilla Firefox and Microsoft Internet Explorer) will contact the CA to confirm the public key of the URL.
... so the CA Certificate is a Public Key Certificate used to communicate over https://. Your server should have CA Certificates on the file system somewhere. If not, you'll have to download the CA Certificate yourself and set the CURLOPT_CAINFO constant to point to its location. See this article.
http://unitstep.net/blog/2009/05/05/using-curl-in-php-to-access-https-ssltls-protected-sites/
[...] does anyone know of a reason to not
use these hacked versions?
Besides the fact that they're hacked versions, which are most likely undocumented and have no guarantee as to their behavior?
I can't answer specifically, but it there should be some warning lights flashing when you work with modules that have had quick fixes and workarounds applied, especially when you're dealing with authorization and security.. I think the best advice would be "Use at own risk!"
I'm sure someone with more knowledge on the topic will arrive soon enough with a more informed answer.
I am new to php, I can do a simple login page, e.g create form, submit form, process and authenticate in a php page and so on.
I read somewhere on the internet, and saw some big companies like banks, google and yahoo, their login form is in "https" not "http". So I try google what is "https" thing. Well, I could not say I fully understand what that thing is, but I think I know the concept, i.e. create a more secure login page.
I believe php could do it (cause I saw wordpress using https, and wp is using php). Is there any tutorial or can you guys give a sample code on how to do a secure login https page with php? Not necessary full code ( cuz I dun want to trouble you guys ), but if can give a full code, would me most appreciated :)
You need to buy a SSL certificate from a company like Verizon or InstantSSL. Then, you will need a web host who has Open SSL or another software for processing SSL certifcates installed.
When you purchase a certificate from Verizon/Instant SSL, they will give you some encrypted code using which you could configure your Open SSL software, and then having https:// urls will work.
This isn't something you can do using plain php.