From what I understand good practices are now to use more and more https.
I was wondering if I can redirect all my websites from http to https, or are there cases where https cannot be used?
Related
I know that it is possible to either redirect or rewrite http to https. Redirect is trivial. But how can a rewrite possibly change the protocol? At the time the proxy gets the request and performs the rewrite, the http connection has already been established and data was sent in un-encrypted, isn't it too late to switch protocol and does it make sens to only switch protocol on the server-side??
I have an API that returns a RedirectToRoute. I have noticed that it will want to fall back to HTTP instead of HTTPS.
Is it possible to make this work with HTTP or HTTPS depending on the original request?
Like if the link is http://example.com/api/myaction then myaction's result would use HTTP. Of course if it were https://example.com/api/myaction then the result would use HTTPS.
I'm trying to redirect all traffic hitting HTTP to HTTPS on my application. Nginx is handling generating keys and certificate signing requests.
HTTPS works perfectly when we type it in manually in the browser's address bar. So to force all HTTP requests to use HTTPS we are changing Spring configuration in various ways.
When adding the requires-channel="https" attribute to <intercept-url/> in our .xml we are getting a 302 redirect loop. We tried declaring the port mappings in a Spring config .xml as suggested in this SO answer but it made no difference to the redirect loop. HTTPS is looping on itself by looking at the network tab in chrome dev tools.
Any help/ideas are appreciated, thanks.
My questions is simple, but I cannot find an answer and I haven't got any resources to test it myself.
Can I make HTTPS CORS request from one domain to another HTTPS domain?
Can I make HTTP CORS request from one domain to another HTTPS domain?
I know that I can do HTTP CORS request from one domain to another HTTP domain, but I don't know if there is any difference when I use HTTPS.
Yes you can do a CORS request from a HTTPS domain to another HTTPS domain.
The only difference is because HTTPS is a secure origin, you can only make call to secure origin, so not to HTTP, the browser will block it with a message like:
Mixed Content: The page at 'https://example.com/index.html' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://example2.com/endpoint'. This request has been blocked; the content must be served over HTTPS.
Warning: If you allow http requests to call your https webpage, it will be insecure because it means an attacker can force requests to your https webpage with the cookies of a victim and read the answer
Beware if you still need to support IE8/IE9 and are using XDomainRequest as it does not support cross-protocol requests. As per MDN:
The origin's security protocol must match that of the requested URL. (http to http, https to https). If these do not match, the request will error "Access is Denied".
I have an ajax call that really needs to be https. However, the page that it is being called from is http. The browser complains about restricted URI denied, presumably due to the same origin policy. Are there any known workaround for this?
Yes, that's same-origin policy stopping you. You have to use same workarounds as for cross-domain requests.
Requests from non-secure website are not secure, even if you're making requests to HTTPS URLs (because MITM attack can replace all "https" with "http"), so you should consider using HTTPS for the whole page.