I'm currently including a local security camera on my website by exposing the HTTP page of the camera on a sub-domain of my website and then including the page in an iframe.
Local HTTP page -> forwarded to a public server -> exposed on domain -> include the exposed page in website
<iframe
id="camera"
title="camera"
src="https://subdomain.URL/"
></iframe>
The problem with this approach is that anybody can see the video when accessing the exposed HTTP page of the camera (on the subdomain). And if I add authentication e.g. basic auth to the camera page all users of the dashboard containing the camera also need to enter the credentials even though they are already signed in to the dashboard.
Is there some other possibility to include the HTTP page of the camera without exposing it publicly or bypassing the auth on the dashboard?
Any help is greatly appreciated!
Related
So I work on a project where I have a Website that calls an API (both hosted on IIS), nothing special for now.
The website is configured with windows authentication allowing access to users within a group.
The API is configured with windows authentication only allowing access to the user defined as identity in the website's application pool.
I'm expecting that any user in the group calling the website would be able to see data on the website, and they won't be able to directly call the API.
However, what I get is that when calling a page of the website, the website receives a 401 error when it calls the API.
Am I missing something in the configuration ?
I hope this is clear for you.
Thank you for your upcoming help ! :)
Elyan
If you're using HTTP as a transport between your website and your API then you cannot restrict access to API from Postman or any other tool, including simple GET requests in browser. Any technically skilled enough user can open "Network" tab in Chrome debugger and see all requests that your site sended to the API.
So, I think you should do API request on server-side, on HTML page render step.
AS IS:
(browser or any client) -> WebSite AND (browser or any client) -> API
TO BE:
(browser or any client) -> WebSite -> API
Then you can restirct access to the API, e.g. allow request only from localhost
I have multiple .NET projects that allow authenticated users to browse html files on another domain via iframe.
I'm struggling with securing these files so that no user can take the link from the iframe and share that link.
The projects are hosted on iis, and users are authenticated with a JWT token.
Any help is appreciated.
I'm afraid it is unavailable to prevent user from getting link from your iframe because they are always able to view the link via developer tool.
But you could create a URL rewrite rule to strict the src link can only be accessed from your website by checking HTTP_REFERR header.
If the referrer domain incorrect or null, then your rule will block it.
I've created a web application using Node.js that relies on a google API (specifically the DCM/DFA reporting API). It redirects the user to login to their gmail account, and after a successful login redirects back to the web application.
Suddenly my company has told me that this web application needs to be restricted to internal use only, and that they won't host it on a public domain for security reasons.
Is there any way to get Oauth to redirect to the internal domain? When I try to set the redirect domain in the google developers console I get an error message that it is not valid. Is there anyway around this?
The sample redirect url you can add at Console and Code is:
http://localhost:8080/authcallback
(Remember to not add trailing / in url)
I would like to do some tablet testing on a website I have. The website has two parts, both in separate projects.
Main site:
platform.local.samplesite.com
SSO site:
sso.local.samplesite.com
The issue:
I can access the main website remotely by ip. When redirected to the login, it tries to hit 'sso.local.samplesite.com', and cannot find that remotely, as it only knows the computer ip set to the main platform site.
General navigation would be:
Hit platform -> Get redirected to SSO site -> Sign in -> Get passed back and land on the main page of platform, all logged in
Currently I can hit the main platform site by adding a binding of HTTPS, IP Address all unassigned, using SSL certificate, and no host name. Then, from the mobile device, I hit the computer's IP address. This successfully gets me to the platform page, but then I am redirected and the tablet cannot see sso.local.samplesite.com.
Is there any way for me to have them both bound and successfully redirecting?
Would your redirect protocol on sso.local send you to the subsite once login was successful rather than redirecting back to the root site? This in theory would bypass your redirection, assuming you've set the redirection at server level bound to the domain?
Myself and a friend have a single user id to login to a website. I can login to the site but he has to wait until I log out to use the site on the same login id. Ive seen lots of screen sharing apps, looked at lots of ideas but technically it can be done im sure.
I want to login on my pc, he wants to access the site from a differnt pc.
Whats the easiest way to do this? I am using thinking about using opencoweb and iframes to simply share the session browser state and information. Is it possible?
Should I be able to do this with deploying an iframed page on app server?
buy another subscription to that service - or put a proxy on your computer and tell your friend to connect to that site through your proxy
First of all, you both should connect to the site from a single proxy server, so your ip will be the same. After one of you login into his account, the other should copy this site cookies to his computer. The site will check cookie and ip, it will be unable to distinguish between you.
No proxy needed. Simply copy the cookie file, import it via the other browser and you are done.