I am trying to figure out technology that we can use to intercept a specific request from my decide(laptop).
Example: I would want to validate the request(post, put, get) being made from my device to https://www.example.com. It can be even from a native application(windows in my case).
I would be happy if someone can help me with code snippet.
Please help !
Related
I have an API on one of our production manifacturing machines that has no documentation but the machine also has web interface. I open the interface on our internal IP that machine has - https://192.168.55.61/
So when I go to the section where I see the logs from the machines I go to console->network and I see the endpoint request performing:
When I use the URL and cookie in my Postman it works and returns an answer:
The problem is answer's format. Here I am not familiar how I should handle this and if I should put another Header for format. Is it possible to read this as you can see it returns something quite not readable. Also vendor of the machine is not willing to give me API documentation as he is insisting that something like API does not exist on machine (which is obviously a lie).
Is there any change to check something on console->network also to be able to help me to read the format?
EDIT:
Response Headers:
For about two weeks, customers complain that our site is broken. After debugging and asking customers for screenshots of the error, we found out that Kaspersky Internet Security blocks AJAX requests, necessary for the site to work.
Console writes this error:
TypeError: ns.GetCommandSrc is not a function
What makes Kaspersky block certain requests?
Our site is on www.mysite.example and makes requests to api.mysite.example. access-allow-origin headers are set and work for us and most of the other customers.
I found that in KAV Settings/Additional/Network, there is an "Inject script into web traffic to interact with web pages" option.
Try turning that off to see if stops the problem.
I have the same issue. The block is intermittent. It looks to me that KAV tries to get some info from its servers to deal with the request, and if that fails, it breaks the AJAX call.
Luckily for me, I have a fallback action, providing default information to the app when the AJAX fails.
In another thread someone suggested that the issue is with the URL or parameters of the call. If it has keywords that can indicate a sensitive operation (banking and such), KAV gives it some extra attention. In my case the call has "license" in the URL, so it may be a correct guess. I'm planning to change the URL to something unremarkable, but it will take some time.
Our API requests have started failing with the error "Request header field yammer-capabilities is not allowed by Access-Control-Allow-Headers".
Before the weekend, everything was working correctly.
Anyone else seeing this?
Same problem here, but it is not the first time, and I think we shouldn't change anything: Yammer's API is slowly beginning to be migrated to Office365's API, maybe this is why there is so much errors in this API... (hope so!)
If you want to see what they're working on :
https://about.yammer.com/success/engage/grow-your-network/release-schedule
Btw, did you try to post this issue on yammer Developer Network ? This can really help, they are using there own social network to communicate ;)
We have a need to consume an external REST Api and dynamically update content on our website and have ran into the age old problem of cross site scripting and Ajax.
I've read up on JSONP however I don't want to go down that route in a million years as it seems like really a rather dirty hack.
As a solution to this issue is it "right" and "proper" to have a local service that acts as a proxy for any requests to an external Api? So on the client there would be an Ajax call to ../RestProxy/MakeRequest passing it the details of the request it needs to make to the external api, it performs the request and returns anything passed back.
Any thoughts would be appreciated.
There are three ways to do this:
1. JSONP
This is accepted by many popular APIs and frameworks. JQuery makes it easy. I would recommend this.
2. Proxy
Works pretty much as you described. Adds an extra step and server code and server load for you. However, it does allow you to filter or otherwise manipulate the results before sending them to the client.
3. Rely Access-Control-Allow-Origin
This is a header that the server can set to allow you to read json directly from their server even though you aren't on the same domain. This eliminates the need for the jsonp hack, but it requires the the server be setup to support it and it requires a web browser that supports it.
Access-Control-Allow-Origin is supported in:
IE8+
Firefox 3.6+
Safari 4.0+
Chrome 6+
iOS Safari 3.2+
Android browser 2.1+
If you need to support IE7, then this option isn't for you.
I'm trying to secure the channel between my socket.io client and the node.js side. The main web application is in Drupal so I can't pass the cookies to node.js if node.js is on another host. I'd like to add some custom headers to he Socket.io HTTP handshake (like the PHP session).
Do you know if it is possible?
Using Socket.io 0.7
P.S: I am just brainstorming here a little bit. I like this problem and am going to think a little bit more about this. I only thought about it yet from node.js same domain only...
Github issue
I don't know(don't think so) if it is possible to add headers.
P.S: I think you should also try to fill issue at https://github.com/LearnBoost/socket.io/issues. The nice thing about github is that author will receive an email when somebody posts an issue. Also the people at learnboost are really nice people who like to help you out.
Proxy
Proxy all your request so that request come from same domain.
Refererer
The refererer is passed so you can pass information from this. This can also be spoofed so you better create something you can validate(only once) from Drupal. I guess this would be pretty easy to implement...
only allow message-flowing after verification.
What I know you can do is disconnect sockets via socket.disconnect(). Open connection and retrieve socket.io's id, but only accept messages after identity has been approved. I would make a route available via express which Drupal can curl post socket.io's id to to (keep route private). Because you are inside Drupal's domain you can access Drupal's session information.
// v0.7.x
var sid = socket.id;
To make this secure the only option is to use SSL(that is the only way you can make any communication link secure anyway). If you trust both domain's SSL is probably not really necessary. Then if socket.io's id is allowed you will allow message-flowing else I would just disconnect the connection.
PusherApp
Another option would be to implement/clone pusherapp authentication => http://pusher.com/docs/client_api_guide/client_channels#subscribe-private-channels
P.S: I will to try and upload an example later, but for now it is time for me sleep. Hopefully this made any sense :)...