It seems that since upgrading they now redirect to a TLS API endpoint. Is anyone aware of a transition api endpoint for the old api if it exists or where to find information regarding this?
From Kolly Mars from the NWS:
"Thanks for reaching out to us.
I am afraid that we are bound by Binding Operational Directive 18-01 https://cyber.dhs.gov/bod/18-01/
WE are not able at this time to move from a secure web site to an insecure site. I am sorry this has impacted you. I'm not currently aware of any non https services for sunrise/sunset.
Thanks,
KM
"
Related
I hope you all doing good!
Question - is it possible to get A+ on SSLLABS with Azure Application Gateway and Web Apps?
My ciphers:
Please assist.
I believe one of the requirements for the A+ SSL Labs rating is Http Strict Transport Security (HSTS), which instructs the browser to make future requests to the server only in HTTPS and not HTTP. This means you will only do an HTTP-to-HTTPS redirect once and future requests are not susceptible to Man-in-the-Middle (MITM) attacks.
The Application Gateway portal doesn't have a checkbox to enable this, but you can use a rewrite rule to add response headers, HSTS being one that is documented as being supported.
https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url#rewrite-types-supported
I am designing a platform for serving media content for media makers, that works with web torrent. But for premium users we want serve high availability of content (for old media, that maybe has not seeds) using http seeds (web seeds) with BEP0019 standard (http://www.getright.com/seedtorrent.html). Obviously premium users needs an authentication method for webseeds. I think that http authentication maybe works for it, but I was researching and I have not found some way to authenticate and secure the http seeds in way that only premium users has access.
Also I don't want overlook that availability must be in browser and torrent client.
Thank you in advance.
Alternatives to basic auth are:
IP whitelisting whenever the user logs into your website. This may be an issue for users that run a torrent client on a server, so you should at least offer a login API that can be curl'd.
embed a login token into the /path/ segment of the URL. but practically that is not much different from basic auth
I have Published my WebApi on azure as AppService. In Web API some urls requires client certificate and some not. I set certEnabled=true in AppService using ARMClient, but It makes my other calls(non-certificate) invalid.
When I researched on this issue, I came to know that certEnabled=true expects certificate for all calls.
I want to make request using certificate on specific api urls only.
What should I do.
I want to make request using certificate on specific api urls only. What should I do.
Unfortuntly ,it is not supported on the Azure WebApp currently. I also find a similar feedback that is underview by azure team. And optional client certificates for TLS mutual auth is also not supported now.
The only thing I have found is to allow both http and https, and then, in the code, filter which requests you accept on http.
We have several internal web applications/services in our company which can only be accessed from LAN. Now, we have a public web portal hosted in Internet, and this portal needs to be access some internal services.
To meet this requirement, I plan to use Apache Camel in a ServerMix to route the requests from web portal to local web services.
The exposed endpoints will use Jetty(HTTP) or CXF protocol. As you can see, we must secure those endpoints, since they will also be exposed on Internet.
I read through the Camel website, camel support Shiro security for authentication and authorization. However, I think Shiro is too heavy in our scenario. Because we only have one web portal to be authenticated. And Shiro will to encrypt payload, that means the username and password will be transported in plain text.
So I consider to use HTTPS, but I am new to HTTPS. How HTTPS authenticate request application? Should I use 2-way HTTPS?
Please clear me out here, an example will be very helpful. Thanks.
Read through this section, it would explain how you can have a secure cxf endpoint:
https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Fuse/6.0/html/Security_Guide/files/CamelCXF.html
If you didn't manage to create your secure endpoint, let me know and I'll create an example for you.
This question has come up at my job a few times, and I was hoping to get some community backing.
We are working on a Single Page WebApp, but require that the data coming from our services API be secure to prevent snooping of the data. We are also trying to iron out the prod environment details for where our SPA will be hosted. One of the options is using something like Amazon's S3, which doesn't support SSL (to my knowledge).
There's a group that believes the whole site needs to be hosted over SSL. However, it's my understanding that SSL will only protect the transmission of the data. So the point I'm trying to make is that hosting the services from an HTTPS site and the client code from non-SSL based URLs will be just as secure as hosting everything from an SSL site.
Could anyone clarify this for me?
Thanks in advance.
Yes, SSL just encrypts the transmission of the data, and does not offer any type of protection of the runtime environment on any client-side code.
Now, it is generally considered a best practice to host everything over SSL, for these reasons:
Users can get warnings that a site is transmitting data with an untrusted source if parts are from SSL and parts are not.
Any cookies, will be sent in the clear when requesting the non-SSL files and may contain information that should be kept private.