Using the Typescript JsonServiceClient in an Angular app, the ss-pid cookie value keeps changing because JsonServiceClient is not including ss-pid, ss-id and ss-opt in requests to my APIs.
The subdomain I am using for my Angular app is app.serverfoo. The APIs reside at serverfoo:5001, serverfoo:5002.
The reason I am doing this is that I am working with my Angular app localhost and calling my 20+ APIs residing in development environment serverfoo, I ahve the following entry in my hosts file:
127.0.0.1 app.sdlxvh03
This allows my app to be run localhost, while I do development using ServiceStack sessions on my machine and still work with my APIs in the development environment.
Cookies only apply to the domain that the request was served from. See this previous answer on how to configure domain cookies so they can apply to sub domains as well.
https://stackoverflow.com/a/23631061/85785
Related
i am new to AWS, i deployed a MERN application in it as follows:
front end on S3 bucket with web hosting enabled;
backend (node, express and graphql) on an ELB;
these two apps are put behind a cloudfront distribution as origins.
the app works fine but a cookie that i am setting is not received by the browser:
the other thing that is bothering me is that the access-control-allow-origin header is set to * although i have the cors policy set in my app to my particular domain.
the cookies are set in development but once i push the code to the server it does not work.
any help is much appreciated.
I made it work but i am not sure what i exactly did. the thing here is that cloud front doesn't not forward the set-cookie if you don't tell it to do so.
I just needed to update the Cache key and origin requests options that you find when you try to update a behavior like this :
I have a create-react-app client and an api that retrieves database content hosted at different URLs on Heroku. Inside my client's package.json the proxy for api calls is "https://theclients-api.herokuapp.com" (this isn't the actual URL). However, when this api is called, the request is instead sent to https://theclients-front.herokuapp.com/getcontent (the root URL of the front-end client) instead. Why is this happening, and what could I do to fix it?
I made a react add with node backend using the stripe express checkout form, and passing the source and other data to the backend to subscribe users, but on production it does not work.
I have it on an ubunutu vps, and the app is served with nginx as a reverse proxy of localhost. but it is not working, i also added ssl certificate to the domain but I am getting an error now that says:
Blocked loading mixed active content “http://localhost:8080/api”
on the server version in stripe test mode.
how can this be fixed?
In production it is required that you use SSL with Stripe. Your error is because you are trying to load or access http://localhost:8080/api from an originally https page. Stripe requires that all of your resources are loaded via https/SSL.
You also probably shouldn't be loading localhost in production. You should be using your actual hostname in production with https.
Let's say you load https://example.com/ in your browser. And you want to make a call to your backend server that is running on https://example.com/api. Instead of specifying localhost you can just change the URL to be /api and that will automatically append the domain name https://example.com to the request. This only works for the same domains. If it's separate domains you have to specify the domain name in your request.
I have a backend server and I configured CORS filter to allow my frontend server to access backend public api. Now I want start developing mobile app, which also will communicate with backend server, but I can't simply put all origins in my cors filter. Should I set Access-Control-Allow-Origin to * ? If so, will it be secure enough ? I don't keep user sessions, but with every request users send jwt token.
If you are developing your own mobile app, then you will not need to have to change any CORS setting in your backend. Setting Access-Control-Allow-Origin to wildcard i.e * will make it very unsafe as all sites will be able access public APIs from your site. Access-Control-Allow-Origin is used by different browsers such as Chrome, Firefox, Opera etc to verify if the frontend accessing the API from the backend is allowed to access the content. This is check only takes place if your APIs and your frontend are on two different domains or subdomains. Eg foo.com frontend is trying to access content from bar.com then your backend Access-Control-Allow-Origin needs to be set to foo.com.
I am currently developing an API that will be launched into production in a matter of weeks. I am relatively new to REST, started reading about CORS - and realized that it could impact me.
What conditions will a REST service not be accessible to a client? I have been using sample html/js on the same server, and through Postman - a google chrome addon - to access my API. I have had no issues so far.
When the API goes live, it will be hosted at 'api.myserver.com'. Requests, at the beginning, will come from 'app.myOTHERserver.com'. Will these requests be denied if I do not use a CORS-friendly approach like JSONP or special 'access-control' headers that permit my domain?
What about accessing rest APIs from other non-browser clients? Such as a C# application? Are these requests permitted by default?
Assuming I do need to add 'access-control' headers server-side, to permit the scenario described above when my API goes live, is it better (performance-wise) to let your web server (NGINX in my case) handle the headers, or should I add them through PHP or NodeJS?
This is more about the same-origin policy applied by web browsers than it is about RESTful APIs in general.
If your API is intended to be used by web applications deployed on a different origin host/port than the API, then you have these options:
Respond with appropriate headers that allow for techniques like CORS to work.
Have the web server which serves up your web content (in your example, app.myOTHERserver.com) handle your REST API requests too by proxifying your API requests from the web server through to the API server. For example, you could have your API exposed on your web server under the URL /api, and then it's just a matter of setting up a web proxy configuration that forwards requests under that URL to your API server.
Use JSONP or other techniques.
If your API is going to be used by non-web applications, you have nothing to worry about. This is only a restriction applied by browsers when running JavaScript code to make sure that the user hasn't inadvertently clicked on a phishing link with some hackery in it that tries to send their PayPal password to Pyongyang.
When the API goes live, it will be hosted at 'api.myserver.com'.
Requests, at the beginning, will come from 'app.myOTHERserver.com'.
Will these requests be denied if I do not use a CORS-friendly approach
like JSONP or special 'access-control' headers that permit my domain?
You can specify what clients can access your web service to an extend. Assuming you're using Express: How to allow CORS?