I'm developing a GraphQL API on Laravel for mobile and web applications. One of the frontend developer asking me to disable CORS on the server side because he cannot work with the API due to CORS problem. The Vue application on his localhost is making requests to my Test API which is on a URL.
From what I understand this isn't problem for the server side, CORS is s security measure for the server. I believe for development Vue developer need to handle this problem with adding a proxy to his localhost.
You are both responsible to get the application done and pointing fingers at one another does not solve this problem. This is not a technical problem.
Adding a proxy to the frontend development environment is one way to solve this problem. Another way is to whitelist the domain they are working on, or even putting a wildcard in there as the frontend developer suggested. CORS is a security feature, but it is meaningless for a development environment that does not contain any production data. Being able to get a development environment up and running without jumping through a lot of hoops helps productivity.
Work together. Your responsibility is to create an application, and without a frontend you are also failing at your task of delivering that application.
Related
I've setup a functional Cloudflare Worker via its route and domain and am using the Worker playground and the quick editor to avoid a deployment.
However, when developing locally I cannot make a request to the worker and get a CORs error.
I’ve read all the docs and implemented most CF security features within Zero Trust. However, nothing is getting us access to our deployed Worker due to strict CORs rules. (which we want)
On my machine I am routing through WARP and it is configured for my
team name.
I have installed and configured a root access certificate, perhaps
not applicable to this issue.
I have also tried to manually auth by visiting the worker URL and
getting a login code emailed to me. Perhaps CF Access is not related
to Workers?
We need clarification because the docs do not clearly explain the flow for access to Worker URLs when working on localhost.
Community question here.
How do we develop apps with Workers and strict CORs by authenticating a computer or user?
I think you can use Transform Rules for set/remove/update CORS.
It should work for you, because according to traffic sequence diagram header modifications performs before workers.
I am running two Windows server 2016s with IIS 10.0.14393. One server for staging purposes, and one for production.
The application has one "front-end app" and one "back-end REST api" running on the same IIS server. The front end communicates with the backend (suprise!). The difficulty I am facing is that the staging server works as expected, i.e no "Sign in" box appears when entering the front-end web page (React). However, on the production server this box pops-up.
When the page is loaded, there is javascript that fetches some information from the API, and it seems that this async fetch is causing the pop-up to occur (the request is in pending mode until login).
I have studied the configuration of IIS on the two servers but can't seem to find any obvious differences.
Both instances have both windows authentication and anonymous authentication turned on for both front-end and backe-end. I need this as the API has different types of authentication for the endpoints.
Anyone that has solved a similar issue?
Thanks
If someone experiences a similar issue the following link may help: https://support.microsoft.com/en-us/help/258063/internet-explorer-may-prompt-you-for-a-password
In my case I was sending the request to the api with the full domain url. The problem was fixed by just using the machine name (and port in my case) when sending the request. If the whole domain with punctuation is used, the system believes that the request is meant for the Internet and not the intranet, and will not include any credentials.
Another, and probably more robust solution, is to add the site in question to: Internet properties -> security -> Local intranet -> sites -> advanced.
Getting started with Okta in a "security-conscious" organization, where connecting across the firewall requires a mound of paperwork.
Wondering if there are any best practices for testing applications internally before heading to the DMZ. There are two parts that we're primarily concerned with:
Authentication - any way we could emulate authenticating against something like an Okta preview env't without traversing the firewall?
API testing - while doing internal development, it would be great to be able to make API calls like "create user" against something that is purely internal - even if it's just a stub.
Okta doesn't currently offer a full-fledged mock Okta client, so there's no officially supported method for testing Okta locally.
There's a partial, undocumented mock-okta client here. However, it currently only supports the /oauth2/v1/authorize authorization code flow.
How to disable the web security in Firefox or how to solve CORS issue in Firefox during development?
Things tried but did not work:
The option of filtering in "about:config" and setting the "security.fileuri.strict_origin_policy=false" doesn't work
Tried few add-ons like "CORS-Everywhere" (https://addons.mozilla.org/en-US/firefox/addon/cors-everywhere/). Doesn't work.
How to disable the web security in firefox
Don't. It gives unrealistic results for testing.
how to solve CORS issue in Firefox during development
Ideally: Create a development environment that is just like the live environment.
The server side code will, at some point, need development work performed on it. Your team will need the ability to create a development server with test data in it for that. Use the same development server for working on the client side code.
That way you can do you development work:
without making test calls to the live server (so you never need fake test users doing fake actions on the live server with the risk that test data will escape somewhere end users will see it).
without cross origin issues (because your development server for your client side code will be the same as the development server for the URL you are requesting)
able to use relative URLs
with a browser that acts like the browsers used by end users
As a quick and dirty hack which doesn't have most of the benefits of using a proper test environment: Use a proxy server that maps requests to the same origin as your development environment to the live environment.
I used Charles proxy for that before I moved to having proper development environments.
I have a simple MVC3 app in .NET 4.0 framework which does not use sessions. It uses windows integration (AD groups) for authentication. It is deployed on 2 servers (both Windows 2003 and IIS 6). To get MVC3 to work under IIS 6 I have a workaround wherein I added a wildcard map. The app works fine on both the machines when I access them directly.
I would like to use a HW load balancer so that I can rotate between both the servers seamlessly. And since my app does not have any sessions this should be fairly easy (I hope). What I would like to do is make sure the app is running on the server before LB sends the request to that app. It could be as simple as checking if keepalive.htm file exists in that app. Since the number of users for this particular app is very low I do not want to device a very complicated solution. I tried implementing the keepalive solution but I keep getting 401 error. Even after I made the file readable by everyone and gave it anonymous access (so no authentication required) it still gives me the same error. I have a feeling that my workaround to get MVC3 to work for IIS 6 is getting in the way.
Any ideas on how to load balance a simple MVC3 app so that Loadbalancer can check if the app is up before forwarding the request?
Thanks for the help.