I'm using express / node js for a simple server.
There's no need for secure https everywhere, but I do want to secure some upload form posts and responses that come back on that to phones.
So far I've setup a standard nodejs server on http with express.js.
I have an app.post('/upload'...)
I'm deployed on heroku, so I changed the app I'm testing to post the form data to https://myapp.herokuapp.com/upload
Is it now posting over https? And will the response be over https?
Or do I need to reconfigure the express server in some way to specifically handle that?
These uploads/responses are the only secure part, and non-visible to users (done by the phone app) - so there's no need to do full http ssl endpoint config for the whole domain/sub domain if the above piggyback solution is ok.
On Heroku, SSL is terminated at the routing layer and a X-Forwarded-Proto: https header is added to the request so your app can know that the request came in over SSL. In other words, from your app's perspective, the request is plain HTTP and doesn't need to do anything special, but you can always check for the X-Forwarded-Proto: https header if you want to make sure the request was made securely. If the request was made over SSL, the response will also be over SSL since it they are both part of the same connection.
Related
Let's say I have a C# app that sends HTTPS requests to a webserver.
https://www.webserver.com/checkid=anything
And the web server checks the Id of the request and returns a string response such as Not Active back to the app.
This response will lock some features inside the app.
Is there any way I can redirect that request to another server that I controll and send fake responses such as Active back to my client app through node js proxy or something?
Note: I dont have access to the app source.
OK i found another better solution, I just used Fiddler Everywhere to change the server response to a custom one.
My URL is not working while fetching the data from Server. What I have done is as follows:
Created the Node JS application using Bcrypt and JWT tokens in IIS server.
I am using the access token in URL to get the data from server after validating the User.
While using the accesstoken it is displaying the data correctly with http request but not with https request.
Suppose, we have a URL whose data is http://example.com/Users/Accesstoken(length:350).
So this url will work but if we are replacing the http with https then it is showing the error
Bad Request - Invalid URL
HTTP Error 400. The request URL is invalid.
What I have tried are as follows:
I have tried using the maxURLlength in IIS to get the data, But it has not worked.
I have tried maxquerystring in IIS, this also not worked.
I have tried the port which I have used in nodejs application, this does work in http but not in https.
Now on increasing the limit of Maximum URL length under Feature Settings inside the IIS configuration request filtering settings also it is showing the ssl not secured.
Please help me out in knowing how this can be solved as I need the node js application for calling api and then I need those api's to be used in different applications like asp.net, reactjs, android, ios, etc.
I have found the answer to my own question. It is the issue of SSL not linked with my nodejs application. So in this situation, I have used the SSL configuration while creating the HTTPS server and it has solved my issue. This is the link to the answer https://www.youtube.com/watch?v=USrMdBF0zcg
I have an Express.js app running on a server. On this same server I'd like to setup a MITM proxy that sends all https requests to my Express.js app. The Express.js app is publicly available via https using NGINX reverse proxy. So directing traffic via localhost or via public https url is fine.
This Express.js app just returns a single html file, so I'd also be okay if the MITM proxy didn't need Express at all and just returned the html file.
I was hoping to use the following package since I'm familiar with Node.js, but I'm not sure how to achieve the desired result. https://github.com/joeferner/node-http-mitm-proxy
I'm also open to other solutions if applicable. Thanks!
For this example below, let's just assume my Express.js app returns a simple 'hello world' message.
Example:
Set proxy for application to myserver.com:5555
In application, make request to https://google.com
Proxy server either re-routes traffic to Express.js or returns 'hello world'
Application sees url as https://google.com but sees response of 'hello world'
I understand that the certificates will not match but I can ignore that in my application.
I have deployed my angular application on a server using apache2 . This application communicates with a node application which is deployed on the same server which again communicate to a java application deployed to the same server. All the applications are running on different ports .
Now If I make a "http request like http::/path" I am able to get the response.
Now I have purchased a ssl certificate for my domain. From this i am able to access the front end but the api calls are failing.
I am making calls like "https:domainname.com:port/path" which doesnt work but If i do it like "http:ipaddr:port/path it works" from a rested client but on UI it throws error saying "he page at 'https://domain.in/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint http:ip:port" This request has been blocked; the content must be served over HTTPS.
not able to resolve this . Please suggest a solution.
you need to add proper CORS Header.
Take an look at https://developer.mozilla.org/de/docs/Web/HTTP/CORS
The error
"he page at 'https://domain.in/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint http:ip:port" This request has been blocked; the content must be served over HTTPS
is just a result of being on an https site and trying to make an XHR to a non-https site. So this error should disappear once you correctly set up https for all of your servers and configure your site to use the https://... url when making xhr.
I am making a self-hosted app, and I would like to require HTTPS since sensitive informations might be sent. How can I tell if client is using a secure connection ?
I could use javascript in the browser, but this wouldn't be secure (since an attacker could just bypass this)
The node server might be running as HTTP, but behind a secure nginx/apache proxy.
Optionnally, I would need to enforce this rule every time someone is making a request.
Well you can configure your web server so it redirects the user to the HTTPS url from a HTTP url. Apache htaccess is commonly used ensure that a website is accessible only over HTTPS. See this link for more information: http://www.askapache.com/htaccess/ssl-example-usage-in-htaccess/#redirect-http-to-https