Is there a way to set a heroku app as private?
I would like to deploy several internal services at heroku and make them only accessible between themselves. I would like to do it this way to hide the backend from the internet access and only allow a frontend app to be accessed by users from outside.
By default, practically everyone who can guess the correct heroku domain could access the backend and attack it directly.
Update:
To be more specific: I am looking for an altenative way besides Heroku private spaces
No, you cannot do this. What you should do if you need this functionality is to secure your web applications with a protocol like HTTP Basic Auth, or OAuth2 Client Credentials. Either of these will allow you to securely authenticate requests BETWEEN your Heroku apps without leaking data publicly.
Related
I have a request to restrict the access (access control) to a small user community in GCP.
Let me explain the question.
This is the current set up:
A valid GCP Organization: MyOrganization.com (under which the GCP project is deployed / provisioned)
Cloud DNS (To configure domain names, A & TXT records, zones and subdomains to build the URL for the application).
Oauth client set up (tokens, authorized redirects URIs, etc.).
HTTPS load balancer (GKE -managed k8s service- with ingress service), SSL certificate and keys issued by a trusted CA.
The application was built using python + Django framework.
I have already deployed the application (GCP resources) and it is working smooth.
The thing is that, since we are working in GCP, all IAM users who has a valid userID#MyOrgnization.com can access the application (https://URL-for-my-Appl.com).
Now, I have a new request, which consists in restricting access (access control) to the application only for a small user community within that GCP organization.
For example, I need to ensure that only specific IAM users can access the application (https://URL-for-my-Appl.com), such as:
user1#MyOrganization.com
user2#MyOrganization.com
user3#MyOrganization.com
user4#MyOrganization.com
How could I do that, taking into account the info I sent earlier ?
thanks!
You can use Cloud IAP (Identity Aware Proxy) in order to do that.
Identity-Aware Proxy (IAP) lets you manage access to applications
running in App Engine standard environment, App Engine flexible
environment, Compute Engine, and GKE. IAP establishes a central
authorization layer for applications accessed by HTTPS, so you can
adopt an application-level access control model instead of using
network-level firewalls. When you turn on IAP, you must also use
signed headers or the App Engine standard environment Users API to
secure your app.
Note: you can configure it on your load balancer.
It's not clear in your question if your application uses google auth (but considering that you talk about org-restricted login I think so) - if that's the case you should be able to enable it without virtually touching anything in your application if you are using the Users API.
The best and easiest solution is to deploy IAP (Identity Aware Proxy) on your HTTPS Loadbalancer
Then, grant only the user that you want (or create a gsuite user group and grant it, it's often easier to manage)
I'm making a Slack App and just implemented OAuth to take advantage of Slack's Web API. I am using the single Access Token for my particular team that I am testing on.
Should I want to distribute this app on the Slack App Directory, will I have to store the Access Token for every single team? How should I go about securely storing these? Will the Heroku database suffice?
Yes, your app needs to store the access token for each Slack team that installs it. And your app will need to access those tokens in order to enable access to that team's Slack (e.g. post a message). Most people will use a local database (e.g. MySQL) on the server to store the access tokens of each team.
No idea how secure the Heroku database is. However, since Heroku is a commercial service I would assume it can provide sufficient security for your app.
My identity and access management tool of choice is OpenAM utilising their container based policy agents, this approach is not possible however using the Heroku Celadon Cedar stack -- at least it doesn't look possible to me (www.heroku.com)
What is the recommended way to enforce authentication and authorization for cedar deployed apps?
Thanks
/W
I'm not sure about the OpenAM access management tool. However if your application requires authentication or authorization then I would recommend to contact third party services linke TeleSign for their identity and access management sevices.
You can store your users in your own database, or used a hosted identity service like Stormpath (disclaimer: it's awesome).
If you end up using something like Stormpath, you'll basically work with a REST API to create, manage, and authenticate users.
I am developing an App for iphone,android using PhoneGap for the client side. On the server side, i have a Restful API with Sinatra/Ruby(Not Rails). The App is free and anyone can access the services but i need to make sure the minimal level of security is implemented so my API is available 24/7.
I heard about oAuth but i am not sure if that is the way to go.
oAuth is a standard for authorization across different authorization domains (e.g. between services) and is probably not what you want.
The easiest way to secure a REST API is the usage of HTTPS. To secure Sinatra have a look at How to make Sinatra work over HTTPS/SSL?
We have a Windows app hosting a WebBrowser control that hits our REST APIs. We like to restrict access to the APIs to be only coming from withing the Windows app itself (for example, the APIs cannot be accessed in a browser, etc).
How can we accomplish that? what is the most secure way without having to expose any kind of credential (for example, if we use HTTP Basic auth, the username and password can be seen by reverse engineering the app itself)?
Thanks a bunch!
EDIT: We plan to distribute the application freely so we have no control over where the connection will be made from.
Restrict the REST interface to only accept connections from 127.0.0.1 (home) and then connect from your rest-consuming application only with http://localhost or http://127.0.0.1 in the URLs (if you use the external IP or DNS name of your machine it'll be treated as a remote connection and denied access).
You can do this with web server settings, or within the code of your REST APIs
I had a similar situation during a project where we distributed an iPhone app that also connected to a REST api that my team developed.
For security we used somewhat of a three-legged scenario. The app was required to authenticate using the user's credentials against a standalone service responsible only for authenticating and generating access tokens. Once the app received a valid access token, subsequent requests to the api required sending this token in the Authorization header.
You could do something similar. If you come up with a credential scheme to authenticate your app as valid API consumers you could use basic auth over HTTPS to obtain tokens, and then only by using those tokens could a consumer gain access to the rest of the API.