I was reading the Paypal documentation about how to implement an IPN server to receive payment notification (from Paypal POST requests), but I noticed that the requests are in encrypted with HTTPS, and I would like to implement the server with non-secured HTTP. Is there any issue if I do this? Can I use any library that use HTTPS over a non-secured server?
You cannot receive an https request with an http server. It won't connect. For starters, it won't even be on the right port by default and even if you try to force the correct port, an https request won't connect to an http server.
Instead, you can use an https server in your node.js app as explained here in the nodejs https module.
Can a HTTP server receive HTTPS request (node.js)?
No, it cannot.
Is there any issue if I do this?
Yes, it will not connect.
Can I use any library that use HTTPS over a non-secured server?
No, you cannot. https connections will not connect to an http server.
All payment related stuff should be done over a properly secured https connection so even if you could change the client to use http instead of https, you should not do that and, I'd guess that PayPal prevents that either with their client library or by license because the last thing they want is people implementing PayPal payments over insecure connections.
Related
In my existing project of nodejs, I am calling a 3rd party api with http protocol. Now as an update requirement I have to change the protocol to https. The 3rd party team insists on sending SSL certificates with the https request.
Is it my job to configure the SSL certificates from my end or from there side, because in this case they are the backend.
I'm trying to implement Express Gateway, what i need to do is to publish an API that routes to a TLS authenticated web service.
My question is, how do i configure the gateway so i can achieve this flow:
1- Client send request to http://my.api
2- Gateway takes HTTP Request and sends it to a TLS authtenticated webservice
3- Take the response and send it back to the client
My apologizes for the poor english.
I guess there's nothing special here, just make the gateway listen on the http interface and use the proxy policy to the https server targeting.
If I'm running a local NodeJS server over http, and I use axios or request to send a POST request to an https endpoint with a password as part of the data, is someone able to grab the password if they are monitoring network traffic?
Passwords served over HTTPS in POST data are secure. The fact that the origin of request is a Node.js application doesn't matter as the connection is still over the secure protocol.
This might be silly question as I am very new to this. Please help me knowing the details:
I have only below information for a application:
1) Application is accessed using https through browser
2) Application talks to LDAP over SSL connection for authentication purpose
Now, my question is, if there would be some relation between SSL used by https and the SSL which application is using to communicate with LDAP?
Can we disable SSL so that application is accessed using http but the communication between application and LDAP is still over SSL?
There is requirement to change https to http because of some compatibility issue.
Thanks in advance.
Now, my question is, if there would be some relation between SSL used
by https and the SSL which application is using to communicate with
LDAP?
No, those are 2 different connections. In the first case the client is the browser and the server is your application and in the second case the client is your application and the server is LDAP.
Can we disable SSL so that application is accessed using http but the
communication between application and LDAP is still over SSL?
Yes, absolutely. Of course that would mean that the users passwords will be sent as cleartext between their browsers and your application. Depending on your scenario this could be acceptable but for a publicly facing website I would rather say that this is bad practice.
I'd like to create a simple CRUD application using web sockets, with a Java EE 7 Websocket Server, running on Glassfish 4, communicating with a single page website. My question is: how can I secure my application? In other words: how can I perform user Authentication and Authorization? Because there are a few messages that I would like the Server to reply to only after authentication and authorization of the requesting user. Last but not least: how can I provide a "remember me" function? Thank you.
A practical method is for the user to login via your Web page, setting a cookie from your Web app upon successful authentication, and check that cookie in your WebSocket server on the incoming WebSocket connection from the page.
This will require to have the Web page and the WebSocket served from the same origin (otherwise the browser won't send the cookie on the WebSocket connection).
Another possibility is to implement a custom authentication mechanism via messages on top of the WebSocket connection.
Another possibility is to use TLS and client-certificate based authentication.
Note that though WebSocket has a HTTP based initial opening handshake and you can in principle use any HTTP authentication mechanism, there are practical restrictions. E.g. with HTTP basic authentication, browsers will render login dialogs for plain HTML page requests, but not for so-called subresources, like requests for images .. and WebSocket (which also counts as a subresources).