The following is an extract from Google Cast Developer Setup:
"Good Receiver URL's usually look like https://website.com/rcvr/myreceiver.html or https://website.com/qarcvr/myreceiver.html"
Question is can I use 'http://website.com/rcvr/myreceiver.html' instead of 'https://website.com/rcvr/myreceiver.html' for the receiver URL?
Yes, you can; it is up to you to decide. For certain apps, there is no reason to use https. If, however, you choose to use "https", you need to make sure that the certificates are valid and the root is known (i.e, do not use a self-signed certificate).
Related
I would like to know what is the best way to redirect everything from marketing-address.com to real-address.com.
best means
as less effort as possible,
as cheap as possible,
as secure as possible.
In detail:
Less effort: If possible without the need of creating a website oder some code like javascript
Secure: https://marketing-address.com should be accpeted by the browsers - no warning.
Cheap: if possible without buying a certificate (I don't think that this is possible) and without having a second webserver running
So in theory, the communication would be like this:
Making the address targeting the same IP address
Making the existing IIS listen to that address to
Let IIS tell the caller "yes, you're totally right here, but I neither I have a website nor do I have a certificate, but you don't need anything of that since you get redirected anyway..."
Is there a chance to accomplish that? If no, I would need to buy a certificate. What would be the solution then?
There are 2 restrictions:
We are using an Azure App Service for hosting an asp.net core site, which seems to be very restricted in configuration possibilities
The browser should definetly show the real-address.com in the URL, not the marketing-address.com.
Have you tried to use an Application Gateway before the IIS/Webapp at the backend?
I believe the AppGW will solve these issues, the AppGW can redirect the hostname to another web address, as many you want to.
https://learn.microsoft.com/en-us/azure/application-gateway/ssl-overview#tls-termination
Is it possible to use the same nodeJS server for two/three different domains (aliases)? (I don't want to redirect my users. I want them to see the exact URL they typed in the address bar. However, all three domains are exactly the same!)
I want my users to be logged in on all three domains at the same time, in order to avoid any confusion.
What is the simplest way to do this and avoid cross-domain issues?
Thanks!
If you mean that all domains will serve the same nodejs app then Yes you can do that.
but if each domain should open a different application then you must have a reverse proxy running on the server to handle and manage the sites/vhosts.
You may install nginx and use it as reverse proxy server or look for http-proxy a library for nodejs.
If you would like to manage the vhosts in your app you can look for vhost middleware for nodejs and use it
Choose one of:
Use some other server (like nginx) as a reverse proxy.
Use node-http-proxy as a reverse proxy.
Use the vhost middleware if each domain can be served from the same Connect/Express codebase and node.js instance.
This is a very broad question. Moreover, it is generally a pretty bad idea, SEO-wise, to have multiple independent domains that each serve the same content.
Logging in is generally either done through Cookies, or through extra parameters in the URL. Cookies are always domain-specific, for obvious security reasons. If you want to ensure folks will be logged in to all the domains at once, you can create an internal purpose-driven domain to handle authentication (without such domain showing in URL bar, and only being used for HTTP redirects, effectively); such domain will store the login state for all the rest, and the rest would pick up the login state through such purpose-driven domain (through HTTP redirects).
In general, however, this sounds like too much trouble. Consider that, perhaps, some users specifically want to use different domains for different accounts, so, you'll effectively break their usage if you mandate that a single login be used for all of them. And, back to the original point, doing this is pretty bad for SEO, so, just don't do it.
Hello I would like to implement a payments on my web site.
I have a requirements that to do it in iframe with hidden address bar.
But in this case user would't be abble to see that we are using HTTPS protocol for sending data and e.t.c
Does is it good practice or it is looks like security issue ?
I don't think it is a good idea to hide HTTPS information from end users. If you look at any web security for dummies kind of guide, they all say that when you enter private/financial information etc make sure your address bar display the lock etc.
Even though you may in your HTML that you are using HTTPS, do you really expect users to "view source" your HTML and/or use Fiddler etc? No right?
So, do the right thing- show HTTPS URL.
BTW, from security perspective, if the first page you serve is NOT over SSL, someone could just modify HTML and inject a malicious HTTPS link with valid cert. That is why it is very important to have SSL enabled on your whole website.
No wonder HTTP 2.0 is going to be all SSL :)
Technically you don't need HTTPS if you are using iFrames for checkout. Ofcourse the 3rd party website is always protected... BUT since you cannot explain this to your customers/clients, so you have to have a HTTPS even you are using iFrames even it is secure but to make your customers feel actually that they secure you should have SSL (HTTPS).. Or I know many of your customers will simply leave your website... SO YOU DO NEED IT... YES
To avoid mixed content warnings I would like to have a file that can be delivered under both protocols (http/https). Ie.
http://www.site.com/file.js
and
https://www.site.com/file.js
I've had a look at google analytics injection code and they use a diferent domain, i.e:
http://www.google.com and https://ssl.google.com.
Now I would like something a little 'cleaner'? I really don't want to have 2 websites to mantain. Does anyone know if this is possible in IIS?
Thanks
Guido
This doesn't have to be a different domain, it will typically use the domain just a different port. See "How to Setup an HTTPS Service in IIS."
EDIT
I see you you are talking about mixing SSL and non SSL, so if my answer above doesn't help. It seems that using relative URLs are the answer. Take a look at Http-https transitions and relative URLs.
How do I find out from within an HttpModule what domain made a particular request?
Say I only want to allow site1.com and site2.com to use images from my server, how do I check that it is them making the request?
There's no way to do this in every case. Consider that UrlReferrer may not be set. Also, consider that you could be called by a client that does not have a DNS address.
Instead, you should consider configuring IIS to authenticate using user certificates. If you've only got a small number of sites calling you, generate a certificate, register it with IIS and map to the user you want, then give the certificates to those two machines to be installed on them.
Request.UrlReferrer, but it can easily be spoofed.