I was writing some test scripts to validate the headers for my .net webapi services. When I look at the traffic through fiddler and invoke the service through my browser I see the correct header Cache-Control: no-cache, no-store. However when the service is invoked with a WebRequest from my .NET test class and I read the response, Cache-Control is set to private. Why would I be seeing different response header values based on the client that is calling the service?
As you probably know ASP.NET modifies the rendered HTML based on user-agent, so that's probably what's happening here. http://msdn.microsoft.com/en-us/magazine/cc300549.aspx
So try using the IE9 user-agent string in your webrequest
Related
How does ASP.NET web Api interprets an empty/no accept header in the request?
will it by default take it as application/json, etc...?
Considering w3 specifications the web-servers can negotiate to each other based on these rules including allowing request method types(GET, POST, etc), content-type and etc. If you wana accept an additional header in your webserver you must define that variable in your webserver configurations, despite not defining this variable cause your webserver won't recieve requests containign that variable in the request header. Default content-type in http request is text/plain.
Hope this can help u bro. Regards.
I have a web crawler on Heroku and I'm trying to call the script from a POST request on Parse Cloud Code httpRequest but I receive a 403 forbidden response basically telling me the Referer Header didn't pass. How can I get past this?
Django's CSRF protection tests the Referer header: see https://docs.djangoproject.com/es/1.9/ref/csrf/#how-it-works. Browsers typically send that header to indicate the page that originated a request, but programmatic user agents don't (cURL, Python requests, and presumably Parse.Cloud.httpRequest) without being told to do so.
To add custom headers to a Parse request, see: Parse.Cloud.httpRequest call with HTTP request header (note the headers object).
That said, you also need to make sure you have a way to get the CSRF token to begin with, and include it either in a XCSRF-Token header or a form field (unclear from your question whether you are doing that).
I'm loading my script on a domain and sending some data with POST and the use of Ext.Ajax.request() to that same domain.
Somehow the dev-tools show me, that there is a failed OPTIONS request.
Request URL : myurl-internal.com:8090/some/rest/api.php
Request Headers
Access-Control-Request-Headers : origin, x-requested-with, content-type
Access-Control-Request-Method : POST
Origin : http://myurl-internal.com:8090
It's both HTTP and not HTTPS. Same port, same host ... I don't know why it's doing this.
The server can't handle such stuff and so the request fails and the whole system stops working.
It's not really specific to Ext JS -- see these related threads across other frameworks. It's the server properly enforcing the CORS standard:
for HTTP request methods that can cause side-effects on user data (in
particular, for HTTP methods other than GET, or for POST usage with
certain MIME types), the specification mandates that browsers
“preflight” the request, soliciting supported methods from the server
with an HTTP OPTIONS request header, and then, upon “approval” from
the server, sending the actual request with the actual HTTP request
method.
If you're going to use CORS, you need to be able to either properly handle or ignore these requests on the server. Ext JS itself doesn't care about the OPTIONS requests -- you'll receive the responses as expected, but unless you do something with them they'll just be ignored (assuming the server actually allows whatever you're trying to do).
If you are NOT intending to use CORS (which sounds like you aren't purposefully going cross-domain) then you need to figure out why the server thinks the originating domain is different (I'm not sure about that). You could also bypass CORS altogether by using JsonP (via Ext's JsonP proxy).
Use relative url instead of absolute, then you will get expected result.
use before request
Ext.Ajax.useDefaultXhrHeader = false
I am developing an API using CodeIgniter and the RestServer for CI (see below). I am also using the Firefox RestClient plugin to test the API.
What I am wondering is how to do the test post (what format).
Tried {"desc":"value"} but it did not work. The API is not "seeing" the incoming post fields.
http://net.tutsplus.com/tutorials/php/working-with-restful-services-in-codeigniter-2/
the post body doesn't need to have a specific format, but the most convenient is to encode the body in the same way web browsers encode form data, specifically Content-Type: application/x-www-form-urlencoded. In particular, the Host and Content-Length headers are not optional, and the Content-Type header is usually needed to tell the server how to interpret the body. A well formed POST request will look like:
POST /path/to/resource HTTP/1.0
Host: example.com:80
Content-Length: 21
Content-Type: application/x-www-form-urlencoded
key=value&key2=value2
It's still up to the server to recognize the content-type header and parse the body that way.
Note that the data is after all the headers, not as part of the request path (in the first line).
Optionally, you can use Proxy Library which i wrote for CI. With that, you can simulate any of possible call to your API(its works for popular REST API too), with more simple syntax instead using cURL...
// An example call to your API end point using POST, will be simply
$this->load->library('proxy');
$this->proxy->http('POST', 'http://somesite.com/api/users', array('username' => 'foo', 'password' => 'bar'));
You can define whatsoever HTTP header too (like API Key or whatever else).
My team is building a site that uses AJAX calls to WCF services for all state changes. Those services only accept a request if its method is POST and its Content-Type is 'application/json'. Assuming that our site has no XSS vulnerabilities, is this sufficient protection against CSRF for our WCF services? Is it possible for an attacker to create a cross-site POST with a custom Content-Type header?
[EDIT]
Obviously there are several ways for a malicious third party site to construct an HTTP POST request to my site. As far as I am aware, however, none of these methods allow for changing the Content-Type header. XHR and Flash both let you set headers, but have strict cross-site restrictions.
Probably, but why not go ahead and check the HTTP Referrer header? Then you will know for sure.