We have an issue with an implementation of the Google Recaptcha(enterprise) as part of a registration workflow. It is working consistently for our dev sub domain, but for our prod sub domains we are are mostly getting the following error message on the client side
Refused to load the script 'https://www.google.com/recaptcha/enterprise.js?render=explicit' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'
when we get this error the Captcha control is not rendered and our members cannot continue through the registration workflow
This isn't happening in all conditions : for example if I connect to a VPN I can see the Captcha control some of the time. We have tried add the explicit sub domains to the Recaptacha config, but this hasn't had any impact. We are seeing this across browser types and in the mobile space as well. Could we get some guidance on how to troubleshoot this issue?
Related
we have been using whmcs for a long time now and all was grate recently we started to get strange complaints from certain people but not all that when they login to client area they are getting invaild csrf security token
This does not happen on admin panel only client aide
This only happeneds with some people on and off
We tried following links here such as disabling csrf tokens, this did not fix.
We also tried disabling the IP save option I made sure our session path is correct, and we are now at a loss not knowing what's happening any ideas or support would be grate.
I'm getting this error Error 400: redirect_uri_mismatch even after giving the proper redirect uri. You can check the images below for the reference. It works for my localhost but it shows this error for my server. My domain looks like https://xxx.topLevelDomain.com. I'm not able to find the possible cause of this issue after surfing most of the issues related to this error. Although, I guess the issue maybe because I'm using a subdomain here, but still not sure if its the issue.
Application info:
frontend is in react hosted on https://someTopLevelDomain.com
backend is in spring boot hosted on https://someSubdomain.someTopLevelDomain.com
Your application is sending from as http to a .com domain
In google developer console you have only one http domain listed and that is localhost
The redirect uri you are sending from must exactly match one that you have added in google cloud console.
To understand how to set up your redirect uri properly check Google OAuth2: How the fix redirect_uri_mismatch error. Part 2 server sided web applications.
where is the redirect uri comming from
Depending upon the programing language, the ide and the client library you may be using will define what redirect uri your application is calling from.
For example i know that visual studio likes to add random ports with C#. I cant tell you what is generating your redirect uri i can only tell you that
The following needs to be added to your google cloud console.
http://________.com/login/oauth2/code/Google
or you need to figuer out what is setting the host on your requests and set it to use https so that you can use the one that you have there now
https://________.com/login/oauth2/code/Google
I am using laravel 5.6 with nginx for web api purpose. But when i call https://127.0.0.1:8000/api/user
It shows "Secure Connection Failed" error message in the browser.
Secure Connection Failed
An error occurred during a connection to 127.0.0.1:8000. PR_END_OF_FILE_ERROR
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the web site owners to inform them of this problem.
Learn more…
Report errors like this to help Mozilla identify and block malicious sites
I have used middleware and forcessl. But no luck.
I have built a mobile app using React Native.
This app connects with a REST API I built using the Laravel framework.
This API is hosted on a VPS and served over HTTPS.
The mobile app works as intended where I expect it to, with the exception of the following use case:
A user has an iPhone 8+. This user’s carrier is AT&T. The 5Ge, to be specific.
This user can download the app and install it no problem.
When they open the app, the app connects to the API, and gets the data to display on the home screen.
The user can login, using their credentials, which are sent to the API, and the API returns an access token on a valid login.
Every subsequent request, is sent with an Authorization header: Bearer [token]
These requests specifically, never reach the server. All authenticated routes for the API are unreachable for this user.
Users on other networks, like Verizon and TMobile, do not have this issue.
The mobile app uses Axios library for sending HTTP requests.
A timeout of 25000 (maximum that can be sent on the iOS?) is passed as an option to the authenticated action. The action fails for this user.
The error is caught and then sent to a public route on the API, without an Authorization header in the request.
This request reaches the server and adds the error message from the request from the mobile app, to the error log on my server.
When I inspect the error that was thrown by the authenticated action failure, it reads “Network error” with a code of 0.
If the timeout is set lower, at 15000, the error thrown by the failed authenticated action is a timeout error, exceeded 15000.
I have contacted AT&T today, and they said we should contact Apple.
After they patched us through to Apple, Apple said issue sounds like it is a cell tower issue, and offered to run diagnostics on the phone.
My question is: Why are the requests that contain an Authorization header Bearer token not able to reach my server when the user is on the AT&T network. Is the bearer token making the request bulky and slowing down the request to where our towers aren’t able to send it?
Or does AT&T have some kind of middleware that would trash the request for some reason?
Could the Authorization header cause AT&T to handle the request differently and send it some other way and in this way could DNS errors cause the request to fail in this way.
Please help, I hope I have explained it well enough.
Edit: Laravel Passport generates access_token for the authenticated API that is 1000+ characters in length. It looks like I can reduce that by about half. I am going to try that next.
I'm finding this is resolved now.
I did two things. I reset my Laravel Passport keys with a specified --length of 1024.
This resulted in my access tokens being around 557 characters long instead of 1000+
I also made some DNS changes in my subdomain. A scan I did showed a nameserver parent mismatch error between the subdomain and parent domain. I made the changes and got those warnings to go away.
These are the things I did. My two app users who are with the AT&T network carrier tested the app tonight after I did these changes.
They logged in. Opened the timeclock. Clocked in. And that request made it to my server like it was supposed to, with the new shorter access token.
I don't know which one of those two things fixed this issue. But I would probably guess it was the DNS problems that I resolved. I still find it odd that the issue only occured on the AT&T network when with an Authorization token in the header of the request.
i get "403 access forbidden web application firewall security alarm triggered" when i try to update products on virtue mart. i have tried to change different product prices but i still got 403 access forbidden. i have tried logging in with different users but it gives me same error. i also changed log folder and cgi-bin folder permission to 755 but it still gives me 403 access forbidden web application firewall security alarm triggered error.
![This appears every time i want to update my product prices or when i also try to edit k2 i terms][10]
i don't know what to do anymore, can you please help me
Have you tried disabling your web application firewall in the joomla backend? I am going to guess that your site is running AKeeba Tools which is a common component and this may be running a misconfigured. Start there first. Failing that track down where you web firewall is? It maybe your HTACCESS file is non-standard