Locally on http://127.0.0.1:8000/ reCaptcha works as expected.
When deployed to PythonAnywhere ("production") on the form it is supposed to work, I get only "Verify" (the label) but nothing else.
I have used to keys from Google in db.py as:
from gluon.tools import Recaptcha
auth.settings.captcha = Recaptcha(request,
'6LeHlgMTAAAAAPMaNZSNaaYabmbr8amc6BzjAjsu', '6LeHlgMTAAAAAKCaa8nUQsmDPjpAAh_CIR40o7G')
I have added the script from Google in layout.html
And another script from Google at the end of the form where reCaptcha is supposed to be.
I know that locally reCaptcha is not really checking the public/private keys, and that may explain why it works locally, but still - what am I doing incorrectly ?
Ok...So the issue was on PythonAnywhere side.
Once they took care of the whitelist - reCaptcha works as expected from the website hosted at PythonAnywhere.
And....this feature is now also part of the free option (it used to be available only for paid sites).
Thanks Giles and Conrad !
If you look at the documentation for reCaptcha, you will see that
you need to set up an API key pair specifically for your pythonanywhere site, and
the verification process involves getting your webapp to talk to the google reCAPTCHA server to verify.
This second part means that you will have to get a paying account for this to work as PythonAnywhere restricts external internet access to whitelisted sites only.
Related
I am trying to add the google one tap login to our internal website but I am getting the following warning. Although I have already added the main domain and sub domain(just to test) in Authorized redirect URIs and Authorized JavaScript origins but still getting this error.
I read in the document where it says no verification is required when the app is used internally.
Thanks in advance for any guidance
In order to add the new "Sign in with Google" option on the websites which are hosted on the dynamically created subdomains, one can use the solution provided by google is its integration via iframe.
The annoying part is that the documentation didn't mentioned this solution as another possible solution in its subdomain section.
Here is the screenshot of this.
Few monts ago I deployed my this laravel app in cpanel. But Now when I'm accessing the site it shows me this message... I think it is hacked or malwared added in the app.
Can anyone tells
what are security steps? should I have to follow for deploying the project in cpanel securely...?
How can I protect my app from attackers in cpanel?
What I missed on basic think in my app was APP_DEBUG was false I have to set this to true.
Except this is App_Debug:
Is there any security should I follow...
Or should I have to move shared hosting to dedicating hosting..?
This has nothing to do with your hosting or your APP_DEBUG setting. In fact never set APP_DEBUG to true on a live website this can leak all your environment variables including database credentials to the world
Here's an explanation from the google site:
Social engineering is content that tricks visitors into doing something dangerous, such as revealing confidential information or downloading software. If Google detects that your website contains social engineering content, the Chrome browser may display a "Deceptive site ahead" warning when visitors view your site. You can check if any pages on your site are suspected of containing social engineering attacks by visiting the Security Issues report.
In your case it may be because either (as you said) the website was hacked and this content injected in it or (less likely) there is content you added to the site that Google is interpreting as misleading (either because it is or because it looks like it is even though it is not).
The remedy here is explained by the above linked site (wont include the entire text just a gist but do check the entire Google site):
Check in with Search Console
Remove deceptive content
Check the third-party resources included in your site
Request a review
If your page has been hacked then you should probably just delete everything, change your passwords (all of them) reset the app key and re-deploy it. Also contact your shared hosting provider to tell them what happened in case they need to be aware of any vulnerabilities or credential leaks.
I have a heroku app hosted at https://rosalinep.herokuapp.com/ that I'm trying to move to the address www.rosalinep.com. (I'm not picky about redirections from rosalinep.com or https vs http, I just want to have this website launched without 'herokuapp' in the url right now.) I used Google Domains to get the domain rosalinep.com, and used the following configurations:
On Google Domains:
synthetic records image
custom resource records image
On Heroku:
domains image
Last night when I first tried to launch this, it worked, but this morning I'm seeing the following error page (which is a total bummer...):
broken website image
Running 'heroku domains' confirms www.rosalinep.com is in the app's custom domains.
I did some searching to try and fix this problem, and it looks like some people in similar situations have reported success in using CNAME like I used, but Heroku's documentation seems to say that an ALIAS or ANAME is necessary for root domain configuration, and those options are apparently not supported by Google Domains.
Because of how Heroku works, they do not release the IP addresses of the apps you create on it, so I can't directly feed it an IP address.
I've gotten pretty stuck and confused in trying to resolve this. Any info on whether I can get this working with Google Domains would be greatly appreciated. Also, if it can be helped, I'd like to not pay for any additional services.
If Google Domains is a non-starter for this though, well, I'm open to other Domain registration websites.
Fixed it! :) After all that, it was just four characters that caused all this headache...
The issue was that in the Google Domains custom resource records section, in the Data field I had 'www.(dns_data_here).com.' when it should have '(dns_data_here).com.'
The site is now up and running on the new url!
I'm faced with a difficult scenario regarding OAuth 2 authentication and Google's Calendar API.
I am attempting to write a PHP script which processes my personal calendar data after being triggered by a POST call from an external source. However, I am having trouble granting the script access to my account. Since the script runs entirely in the background, there is never an opportunity for me to enter the authorization code which is required for PHP command line tools making Google API requests.
I have looked into Service Accounts, which grant access to personal data without individual approval, but unfortunately this is only available to G Suite users, which I am not.
I have also attempted to run my script manually, enter the code to authenticate, then run it from my external source. This doesn't work either, because the authorization codes are apparently only good for the same mode of access where it was entered, and the response to the external source still shows as asking for the code.
Lastly, please note that responding with the authorization code from the external source is not an option. Which I can activate the trigger, I cannot change how it works or the data it passes.
TL;DR: How do I grant a PHP script (which runs only in the background) access to my personal Google Calendar data?
Thanks in advance!
Articulating this question actually helped me better formulate my Google searches, and I found the answer!
I'll leave this question/answer here so somebody can hopefully benefit from it -
Turns out that the Service Account is the way to go, but instead of trying to access your account's data via the service account, you need to share the calendars in question with the generated service account email address. Essentially, this makes the service account a "co-owner" of the calendar. Then, you simply make the request to the service account's own information.
Hope this helps!
The company that I work for is partnering with another organization and they want to white-label our Django app (which is hosted on Heroku). We currently have an EV certificate and SSL endpoint. The new goal is to secure both domains and avoid any certificate nags/warnings each time a user goes to the page via the new domain name.
I believe that I should be able to accomplish this with a SAN/UCC certificate. I've found a couple of very similar question posted. See here. However, while the page referenced in the previous answer still exists, the anchor for "serving-multiple-domains" is no longer on the page. And doing a search on the page doesn't find anything (maybe I'm missing it).
My question is does Heroku still support this functionality? If so, is a SAN/UCC cert the best way to accomplish this? Are there other options?