I was thinking that I needed more secure ways to transfer data between my app and my server on Heroku. I'm worried about MITM attacks. Then I noticed that the web server uses an https address. Does this mean that the JSON I'm sending to the server is automatically encrypted? What about when the server sends JSON back to the client?
If the link the JSON request goes to starts with https then yes. JSON is just content sent over http/https and responses are sent over the same method as the query.
However, if you are on a webpage and there is an ajax call made in the background, then maybe not.
In all cases, it depends on where the http get request goes to: if it starts with https then you are fine.
It sounds like your saying the request for json data is made over https, in wich case you are fine.
Related
I sniffed the network traffic coming out of an app that displays real time data. I am trying to get access to the api to display the same real time data on a website that I am working on currently. I was able to view the get request and the response using fiddler and I then sent a get request directly using the url. However, my get request was blocked by CORs policy. I'm a beginner and would like to know how to access the API.
If the server that's hosting the API doesn't supply COR headers that explicitly allow this, you're not going to be able to make these requests via your browser. I'd recommend making the requests on your server instead of in the browser, because that's not bound by CORs settings.
If a user requests a HTML web page that consists of some text and three images. For this page, will the client send one HTTP request message and receive four HTTP response messages from the server? or will client have to send separate HTTP request message for each of the three images?
The client requests one resource at a time. It first gets the HTML response. It then parses that response and finds references to images in there. It then goes to fetch those images in separate requests; or perhaps gets them from a local cache if it already has them.
Note that in HTTP/2, the server can proactively send the images together with the initial HTML response if it anticipates that the client will ask for them anyway. That shortens the roundtrip time considerably, but also means the client will receive a large response whether it has already cached the images or not.
The client sends the connection request, and then when the server accepts the request, the server sends the web page to the client in small packages, when the client receives the response from the server the web page is displayed.
I hope this resolves the doubt.
Most JWT tutorials I've seen say that you can attach it to the headers with AJAX. How do you attach the token on the initial page load?
For example, if a user goes to the base URL '/' and they don't have a token then show them the page. If they do have a token, redirect them to their profile page.
Edit:
I'm returning the generated token with a jquery ajax success function then redirecting the user. When the user gets to the home page ('/'), I'd like the access token to be sent via http headers to my server. Then the server can handle the request. However, anytime the user returns (if they close the browser and go to "mywebsite.com" or any other page), I'd like the server to be able to access the token. Are http headers the best way to do this?
success: function(token){
localStorage.setItem("token", token);
window.location.href('/');
}
If my application was a Single Page App (SPA), I could just use ajax all of the time, but it's not.
You cannot achieve what you want with HTTP headers. HTTP headers are something which are sent when a request is made to the server. In your case, you want to remember something about the client even if they close their website and come back later. The easiest to do that is through cookies.
Basically generate the JWT token for the client and send it to the client as a cookie. This logic will be written on the server side and there are many libraries available to do this depending on the technology you have chosen for server side. Then everytime the client makes a request to your server, browsers make sure that the stored cookies are sent.
I'm developing a website and mobile application that communicate with each other.
It's very basic at the moment: the app makes a get request to a URL and the server returns JSON data.
I want to secure this and make sure no-one can send a get request to the URL and get this data (only the website and the app). Is it ok to make a 60+ character password that the app can send with the request that the server accepts before data is sent, or is this breakable?
I dont want to use OAuth because it's overkill as only the app and the site are going to communicate. Please provide me with a few solutions, thanks!
You can use HTTPS to transmit data.But you will need an SSL cerificate for this.
Is it possible to use HTTP.get on the client side to retrieve some json data and store it as a string?
I need to get the JSON from this site https://blockchain.info/address/15cNko3ZtmYCba8GoaYsZ6GWFy1VCLgFji?format=json and store it as a string for later parsing.
The above site address for the wallet was chosen at random.
You can perform HTTP.get on the client. As per the documentation it's available Anywhere (Client and Server)
However, the example you've provided isn't on the same domain as your app, and hasn't provided Access-Control-Allow-Origin headers to permit cross-domain requests. So requests from the client will fail.
From Wikipedia:
The same origin policy prevents a document or script loaded from one
origin from getting or setting properties of a document from another
origin. This policy dates all the way back to Netscape Navigator 2.0.
Try typing $.ajax("https://blockchain.info/address/15cNko3ZtmYCba8GoaYsZ6GWFy1VCLgFji?format=json"); in your browser console in your application development tab.
You're likely to receive this error as response :
XMLHttpRequest cannot load https://blockchain.info/address/15cNko3ZtmYCba8GoaYsZ6GWFy1VCLgFji?format=json. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access.
This is a CORS related issue which is a whole topic on itself so I suggest you google this and understand its implications.
Next, if you can control CORS settings on the domain where you're trying to fetch json from, then you need to allow cross origin requests from your web application domain, this is possible when using an amazon S3 bucket, another web application you designed, etc...
If you can't, then I'm afraid you'll have to use a Meteor.method client side to reach your Meteor server where you'll fetch the json with HTTP.get then send it back to the Meteor client.