A client has asked for additional security for a web app which would allow only company owned and approved tablet computers (brand not yet known) to connect to a PHP web app.
The app will be un/pw protected but the company would like to prevent all access except via the tablets.
MAC addresses would be great for this but these will be used in the field and use a myFi portable wifi to connect to the server so the MAC address will not be available.
Can anyone point me to a sound method for this secondary validation?
Your best solution here would be to deploy mutually-authenticated SSL between your client tablets and your server. You can use self-signed certificates here so you don't need to buy any from a CA. This will ensure that your server only accepts requests from tablets that have the client-side certificate (configure your server to only accept the self-signed client certificates deployed on your tablets for client authentication).
Related
I've installed the IIS Admin API, it seems to run by default on port 55539
http://localhost:55539/connect
I need to access this externally and ideally want to use SSL, but I can't find this site running within IIS, when I group my sites by port there are no sites bound to anything other than ports 80 and 443.
Does this run outside of IIS? If so is it possible to use an SSL cert with it.
Thanks
The Microsoft IIS Administration API is a REST API that enables users to configure and monitor their IIS web servers. The IIS instance can be configured with any HTTP client by installing the API on the IIS computer.
You may have misunderstood, IIS Administration API is not a website hosted in IIS, it is a standalone application running on its own port. By default, it runs on port 55539 and is not associated with any particular website in IIS.
Every call to the API requires an access token in the request header, and the service cannot be used from outside the machine unless the port it listens on is opened. You can refer this link to know how to connect to the Management Portal.
In addtion, certificates provide a mechanism for web servers to prove their identity and secure communication channels. The Certificate API is essential for creating websites that serve content over HTTPS. All certificates belong to a certificate store. A list of available certificate stores can be retrieved from the certificate stores endpoint /api/certificates/stores. These certificate stores have a claims property that specifies what operations are allowed on the certificates within the store. You can configure it through the certificates section of the application settings file. Currently the certificate store only supports read operations. In the future the API may support importing, exporting, deleting and creating certificates.
I'm developing a cross-browser and cross-platform PWA for a camera slider. The idea is that a Raspberry Pi is serving a web interface for controlling this and also serves as an access point so it can be used without an Internet connection.
But since PWAs need the HTTPS protocol I don't know how I can serve my web application over HTTPS in a local network. Certificates are bought for domain names and not for a local IP address.
I do not want my customers to have to accept an "unsecure" private certificate every time before they can use my application.
Is there even a solution for my problem?
I have developed a RESTful web service using Node.js. I want to host this service on my home PC which is having static IP(which can be access from internet). But I want to host this service using SSL. Note that my home PC is not associated with any internet domain. So I want to know how to host my Webservice using ssl on my home PC. Also I want to know where to buy ssl certificate and what type of certificate? Because most of the certificate authorities who sells certificate talking about ssl for website only.
I have setup a webapp to work with websockets.
This webapp worked fine over local/wired network.
I realiced (maybe im wrong) that websockets cannot work over mobile network 3G/4G because of ISP proxies. But then i saw that secured connection pass through mobile networks proxies (https://github.com/websockets/ws/issues/257).
So i created a simple self signed cert using openssl.
Finally my application works over https to host WSS protocol. So now i tried to connect with my phone using 4G but page does not load. But it works perfectly over WIFI connections, also with my desktop PC.
https://ciroreed.net:8080/
Can i provide other useful information?
EDIT
The problem was that mobile networks sometimes wont load ws:// protocol.
We solve this setting up an https server, and ofc use wss protocol also.this package for sockets https://www.npmjs.com/package/ws
To ensure websocket works here is my advice:
use wss, not ws
use a valid signed certificate
check your wss endpoint with ssllabs.com (especially for missing intermediate certificate, the most common error)
I'll admit i am very new to web app development and have primarily developed offline. I am developing a facebook application and have decided to give windows azure a shot at being my host.
Facebook requires SSL to use and of course on my development machine this works fine, but i do not have my own SSL certificate. In order to have a custom SSL certificate I need to upgrade my azure subscription to get a custom domain and be able to upload my own custom SSL certificate.
Is there any alternative to get my site to allow SSL (https) requests during my development process because paying for a custom SSL, domain and reserved azure instance in an application during the initial build process seems to be a needless expense.
Windows Azure Web Sites is a prime candidate for Facebook application development. If you use the base domain mysite.azurewebsites.net you have SSL without needing your custom domain.
The reason for this being the azurewebsites.net domain has a wild card certificate in place.