I am sending http request to my server using ASIHTTPRequest library but I don't know if it obfuscates the request data. Also on the sever side, I am creating an XML file and response back to the device using php. What is the safe way to form an XML document and send back to the device?
The only safe way to connect to a webserver is by using SSL/https.
I would recommend SSL and/or XML Signatures
Anything sent over just http is sent in clear text. Anyone can see your traffic on any part of the route from you to the destination. This is why facebook/twitter and a number of sites have switched to an https preferred model.
Related
I know I can use POST to hide the parameters in the url, but the data can still be seen in the network tab when I inspect element. Is there a way to completely hide what data is sent?
So no one can intercept the data.
let's use HTTPS protocol, attacker can capture data but they cannot read them.
You should use encryption. This involves enabling SSL over the HTTP connection. You will need to configure your server for this if it's not configured for it already.
Using HTTPS (SSL over HTTP, also known as Secure HTTP) allows your data to be sent and received over a secure connection.
If you're using the Developer Tools of WebKit (Google Chrome, etc.) then you'll always be able to see the data because you're the one making the request. It doesn't hide the data from you.
I have a file in PHP receiving a POST from an Android application and it works correctly but it also works correctly if loaded from a browser. What would be the most correct and efficient way to prohibit this from happening?
Try testing for the user agent in the request $_SERVER["HTTP_USER_AGENT"]. With PHP you can use the get_browser() for more information given the user agent.
Note that any client could send fake a user agent, so this information is good hint, but as any user input, it must not be trusted completely.
If you own the Android application I would suggest sending a security token generated on the android app via HTTPS to your PHP app where it would be validated.
Add header while making the HTTP request.
e.g. Application Type
httppost.setHeader("Application-Type", "ANDROID");
This will differentiate between your calls and server may get to know if call is made from mobile with having this header while Browser doesn't.
Take a look at a page with phpinfo() on that from the android
You can check the Browser and OS, based on that you can chose what to do
I'm in the process of trying to better understand http, more specifically I want to get comfortable working with web based APIs. Some of the documentation I've read for specific API's mention that the API will expect to get an http request in exactly this format, with specific headers and content.
I'm trying to use php cURL, but googling around I haven't found a way (that I understand) simply print my http request to the screen or a text file rather than sending it. I want to make sure that the request I'm constructing looks how I intend it to, rather than just getting back a success or failure message from whatever server the request is sent to. Is there an easy way to do this?
You should try using Fiddler. Fiddler show RESPONSE and REQUEST HEADER. Other than that you can install some extension to your browser that shows HEADER, Firefox does have such extension I think it is called LiveHTTP... sorry didn't remember name.
For web debugging Fiddler is what you need http://fiddler2.com/
I'm finishing an app that sends data as a multipart HTTP POST to a server.
Problem is that said server is not available yet, and I want a sort of 'dummy' server to set up that can receive an HTTP POST request like that and just store/spit out the end result so I can see what I'm sending.
I have a host and know my way around a web server, but I never had to deal with a situation like this.
Thoughts?
Consider using a web proxy to verify that what you sent is correct. I use Charles. Charles can also be setup to return fake responses.
you can use wamp to set up a server on your host and any php frameworks to get http requests such as codeigniter
When using PHP I can use file_get_contents or cURL to get a URL.
jQuery runs on the client
In jQuery there is a function called jQuery.getJSON(). Javascript is run on the client. What server is used for the download of the JSON code of the external URL? What information does the called URL know about? Does it know of the domain? The IP of the client user? It's a client language.
Prefered for many request
To make many requests, is it safer to do this with Javascript than PHP because it runs on the every client instead of one server point?
What server is used for the download of the JSON code of the external URL?
The one that the domain name in the URL passed to that function resolves to.
What information does the called URL know about?
It is an HTTP request, like any other. The usual information will be available.
Does it know of the domain? The IP of the client user?
Of course.
It's a client language.
… making an HTTP request.
To make many requests, is it safer to do this with Javascript than PHP because it runs on the every client instead of one server point?
You control the server. You don't control the client. JavaScript can be disabled. It is safer to make the request from your server.
(For a value of "safe" equal to "Less likely to fail assuming the service you are using doesn't impose rate limiting")
Because of the Same Origin Policy all requests made in JavaScript must go to the domain from which the document was loaded. It's a standard HTTP request, so the server will have the same information it would if a user was just navigating around (including cookies, etc.) From the phrasing of your question it appears you need to make requests to some external site, in which case making those requests from your server which is not subject to such a security policy would likely be best.
In jQuery there is a function called jQuery.getJSON(). Javascript is
run on the client. What server is used for the download of the JSON
code of the external URL? What information does the called URL know
about? Does it know of the domain? The IP of the client user? It's a
client language.
The code that runs your web browser is only on your PC, too, yet it is perfectly capable of retrieving content via the HTTP protocol from a web server, and has done so for several decades.
AJAX requests are no different. jQuery creates an XMLHttpRequest object that performs an HTTP request in a manner uncoupled from the general page context. As far as the server's concerned, it's just an HTTP request like any other.
The text contents of the result you get back happen to be written in JSON format, but the HTTP layer neither knows nor cares about that.