Browsers redirecting http to https - https

I've read a lot of questions and answers about this topic, but nothing I've seen has helped. I have web app with a node/express backend and an aurelia client. It's one of three I have running in the same subdomain. One of the others has a certificate and the other doesn't. Both of them work perfectly. The new app doesn't have a certificate, but it insists on redirecting all requests to https.
In chrome I've deleted the domain security policy and cleared my cache and I get the same result. It doesn't matter which browser I use. I've even tried a browser I've never used to access the app with a certificate and I get the same result.
The server code is essentially the same as for the app which doesn't use a certificate.
I'd appreciate any suggestions.
Ross

Related

SSL certificate on Heroku app not working

I recently downloaded an SSL certificate from zeroSSL.com and set it up in my Heroku CLI. Now the website still uses HTTP but it shows that an SSL certificate has been added on heroku.
If Heroku shows that the certificate was added, it should be available. Can you successfully browse to your site using HTTPS?
Note that Heroku doesn't redirect from HTTP to HTTPS for you. They recommend that you do that in application code:
Redirects need to be performed at the application level as the Heroku router does not provide this functionality. You should code the redirect logic into your application.
That page has several examples for how to redirect using common languages and frameworks. I'm not sure what you're using, but I suggest you start there.

SSO Login: Cookie scheme does not match in FireFox

I have a Webapp (HTML, JS, PHP) on an Amazon cloud server which is integrated in our companies network. Lets say the servers name is
dev-myapp.cloud.myentity.mycompany.com
This app is using the companies global SSO login by getting an oauth token from the SSO login page and then sending client, secret and callback (as usual). If Login is successful, the SSO login redirects to my callback (which in that case is my apps url above)
The SSO login creates many cookies in the browser. Most of them are flagged as secure but also some are not. For all of this cookies I now get an error
Cookie "xxx" will be soon treated as cross-site cookie against "path_to_any_of_my_sources" because the scheme does not match
I get this error for every script which is loaded (HTML, js, PHP, css) with FireFox.
The domain of the created cookies is
mycompany.com
so there should be no cross site at all.
What can I do to remove this hundreds of warnings, which makes debugging really annoying
If you need more information please let me know. Please understand I cannot provide you with real data from my company.
I was able to fix this same problem by clearing my cookies in the browser.

Flask / CSRF Missing/Expired Token for users with a Proxy on Heroku

Using Python/Flask hosted on Heroku (using SSL with some other additional security features) I'm having an issue where users using a proxy browser extension proxy (usually regular proxy servers that are on before the browser is open are fine) are causing missing CSRF token errors when users submit forms.
The only thing I can find online about this issue is https://nickjanetakis.com/blog/fix-missing-csrf-token-issues-with-flask but I can't mess with the config as referenced here.
Everything works fine if the proxy is on your machine (not a chrome web browser proxy).
Has anyone had this issue before? The only information I can find references if your server is on a proxy, not your user...
Thanks for your insights and help!

NSURLSession and HTTPS

I have an app that uses NSURLSession to run .php files on a web server. The directory on the web server is password protected and the didReceiveChallenge delegate is working perfectly, returning the user name and password. Up until now this has all been over HTTP as it has simply been a proof of concept, and is therefore open to man-in-the-middle threats.
As I near completion I am going to switch to HTTPS using a trusted cert and am wondering what additional steps I need to take (if any) with NSURLSession to communicate with a secure connection, or will it be as simple as switching the url in the session from HTTP to HTTPS once the server is setup. This will NOT be a self signed cert.
I have found similar questions on here, but none that have an answer.
Thanks!
So I went ahead and installed a self signed certificate on my web server, and then simply changed the HTTP to HTTPS in NSURLRequest and all seems to be working just fine!

Heroku gives application error for Safari only, works fine for Chrome or Firefox

Our Heroku application seems to be having a weird issue. The application works fine from Chrome or Firefox however when loaded in Safari I am getting the Heroku Application Error Page. We have a test instance running the same application with a custom domain and SSL endpoint but it doesn't have this issue. Also connecting directly to the Heroku url app-name.herokuapp.com works fine in Safari. It is only when using Safari and connecting to our custom domain does it give the application error.
The only thing I can think of is an error in the Heroku router, or the SSL endpoint.
I've tried clearing my cache, and changing the DNS for the Safari browser, and asked multiple other people to test and they are experiencing the same issue with Safari.
Has anyone else experienced this issue?
I found that if you forward your domain to Heroku with a "masked" domain while using Safari or iOS there are weird results.
In my case the server side session cookies will not be accessible.
It works perfectly on Chrome and Firefox.
I use Godaddy to manage the domain name but I do not think they are the caused.
When I remove the "masked" and strictly forward the domain to Heroku all platforms work.

Resources