I have an hosting account on Godaddy which has been redirected for last few days, to be precise, 5 days.
After mailing them quite few times, this is what they had to say
The 302 redirects are filters setup to maintain the integrity of the hosting server while we investigate and resolve an issue(s)
The post is not for boo-haa of godaddy, all I want to know is the technical aspect of the above term.
Why these filters are set, how they are set and what purpose they fulfill
Any sort of detailing on the issue will be helpful. Being a developer, it will only help when I plan to roll out hosting on my own.
The filter was set by godaddy to restrict access to your account until they can complete an investigation. The why would depend but if your website had illegal content on it whether you put it there, a user of yours or your account was hacked and someone else did would be some possible whys. By illegal I mean anything in violation of their policies or the law. The purpose is to protect their network and or you in the event that someone else is responsible for whatever they are investigating. I would call them.
I am in the process of pulling my website from Godaddy because of the same reason. They will randomly run a 302 redirect filter to protect their server. I found about 1/3 of my potential customers were being redirected to a non working version of my website. I spoke with a support staff at Godaddy and they had no reason but it is designed to protect their system. This is what you should look for. I use a company called Stat Counter and it shows your visitors paths my web address is www.actions4photographers.com What Go daddy does is take my web address and add 4-or 5 letters to the end of it and redirecting my customers to a non working version of my site.
I have had customers tell me my site was not functioning and I spent a small fortune trying to find out why. Now I know. Trying to get GoDaddy to admit that they were running the 302 redirect filters was like pulling hens teeth. I have been spending... like most of you a lot of time and money working on getting traffic to find out they are just turning away 1/3 of my traffic. How it this fair?
Related
I have a heroku app hosted at https://rosalinep.herokuapp.com/ that I'm trying to move to the address www.rosalinep.com. (I'm not picky about redirections from rosalinep.com or https vs http, I just want to have this website launched without 'herokuapp' in the url right now.) I used Google Domains to get the domain rosalinep.com, and used the following configurations:
On Google Domains:
synthetic records image
custom resource records image
On Heroku:
domains image
Last night when I first tried to launch this, it worked, but this morning I'm seeing the following error page (which is a total bummer...):
broken website image
Running 'heroku domains' confirms www.rosalinep.com is in the app's custom domains.
I did some searching to try and fix this problem, and it looks like some people in similar situations have reported success in using CNAME like I used, but Heroku's documentation seems to say that an ALIAS or ANAME is necessary for root domain configuration, and those options are apparently not supported by Google Domains.
Because of how Heroku works, they do not release the IP addresses of the apps you create on it, so I can't directly feed it an IP address.
I've gotten pretty stuck and confused in trying to resolve this. Any info on whether I can get this working with Google Domains would be greatly appreciated. Also, if it can be helped, I'd like to not pay for any additional services.
If Google Domains is a non-starter for this though, well, I'm open to other Domain registration websites.
Fixed it! :) After all that, it was just four characters that caused all this headache...
The issue was that in the Google Domains custom resource records section, in the Data field I had 'www.(dns_data_here).com.' when it should have '(dns_data_here).com.'
The site is now up and running on the new url!
I am trying to build a small toolbox of scripts such that I can automate some tasks involving Google contacts, calendar and so on. Most of the work is already done by means of the googlecl project, which looks very promising.
As far as I understand the process, googlecl needs to request an authentication ticket from Google by means of OAuth. Admittedly, I have only a sketchy notion of what is going on there, but that’s something that Wikipedia will help me solve.
Here’s the catch: My Google account uses a non-Gmail address (let it be vucar#example.invalid for the sake of this discussion). The account was created back in the old days when Google didn’t force GMail down people’s throats who have no use for it. googlecl will direct me to https://www.google.com/accounts/OAuthAuthorizeToken?oauth_token=…&hd=example.invalid to complete the OAuth handshake. Google will then tell me that ‘the domain name has not been signed up for Google Apps’. Which is correct.
If I don’t supply my user ID to googlecl, then the URL reads …&hd=default. Google will accept the OAuth request, granting whichever permissions needed to my locally running googlecl, but then googlecl will complain that the token was issued to a different user ID than for the user ID that was requested. Which of course is also correct.
I’ve read through https://support.google.com/a/answer/33419, which in turn redirects me to http://www.google.com/a in order to ‘to sign up your domain for Google Apps’. Apparently, if my Google account uses a domain different from #gmail.com, then I am a business user and need to purchase Google Apps for my domain—to get, amonst a truckload of other stuff, my domain connected to GMail, the polar opposite of what I wanted to have by having that ‘foreign’ domain in the first place.
I have to admit that I am stymied. I understand what OAuth in this case is used for, but I fail to grasp the byzantine reasoning at Google’s. I do not believe that I want Google Apps for my domain, and I especially do not want to hand over my emails or anything else to Google. I merely want to access and modify my data at Google’s, with my user ID happening not to end in #gmail.com.
Is it strictly required that I purchase Google Apps for Work for such a configuration? The contacts, calendars and so forth is already at Google’s, and used from both Google’s web site and Android clients. The only thing new to the mix is API access.
I've done a bit of reading on working around the cross domain policy, and am now aware of two ways that will work for me, but I am struggling to understand how CORS is safer than having no cross domain restriction at all.
As I understand it, the cross domain restriction was put in place because theoretically a malicious script could be inserted into a page that the user is viewing which could cause the sending of data to a server that is not associated (i.e. not the same domain) to site that the user has specifically loaded.
Now with the CORS feature, it seems like this can be worked around by the malicious guys because it's the malicous server itself that is allowed to authorises the cross domain request. So if a malicious script decides to sending details to a malicious server that has Access-Control-Allow-Origin: * set, it can now recieve that data.
I'm sure I've misunderstood something here, can anybody clarify?
I think #dystroy has a point there, but not all of what I was looking for. This answer also helped. https://stackoverflow.com/a/4851237/830431
I now understand that it's nothing to do with prevention of sending data, and more to do with preventing unauthorised actions.
For example: A site that you are logged in to (e.g. social network or bank) may have a trusted session open with your browser. If you then visit a dodgy site, they will not be able to perform a cross site scripting attack using the sites that you are logged in to (e.g. post spammy status updates, get personal details, or transfer money from your account) because of the cross domain restriction policy. The only way they would be able to perform that cross site scripting attack would be if the browser didn't have the cross site restriction enabled, or if the social network or bank had implemented CORS to include requests from untrusted domains.
If a site (e.g. bank or social network) decides to implement CORS, then they should be sure that it can't result in unauthorised actions or unauthorised data being retrieved, but something like a news website content API or yahoo pipes has nothing to lose by enabling CORS on *
You may set more precise origin filter than "*".
If you decide to open your specific page to be included in another page, it means you'll handle the consequences.
But the main problem cannot be that a server can receive strange data : that's nothing new : everything that is received by a server is suspect. The protection is mainly for the user which cannot be abused by an abnormal composition of sources (the englobing one being able to read the englobed data, for example). So if you allow all origins for a page, don't put inside data that you want to share only with your user.
So, in the case of applications where security is of great importance - how would implement the challenge question idea. That is...you would:
Detect if the computer IP has changed and hence ask for the challenge question.
Detect if the cookie is missing.
Detect if the computer name is different.
Some combinations of the methods above?
I am currently working on a forex platform...in asp.net/c# and thinking on how to implement thi feature for best results. I think the best and only way will be to check for a cookie change - since if i base on the ip - the ip might be dinamic by the isp of the client - also if i count on computer name then it's not that bright since the computer might be used by more than the user in question...of course if i count on the cookie then the browser might be used by more than a single person...but this is why this is an additional security measure and not the very password/username authentification.
Other than that getting the computer name (if possible??) + cookie change seems to be the best method. I am tagging this as c#/java since the 2 are very common these days when it comes to authentification and security.
10x!
One thing facebook did that I thought was good... You can enable an option to have them put a cookie in your browser... Unique for each computer you use... Then if someone without a cookie in the browser logs in to your account, they send an email to you letting you know... I think they geolocate the source ip of the unknown computer and put it in the email as well... So if you live in the US, you wouldnt expect a login from Russia. Not everyone accepts cookies, but for those who do, this optional feature is great and financial firms should do it too...
My bank (and many others) rely on some form of constant two factor auth Could be as simple as your best friend's name, or if they're like my online broker, high value accounts over a certain balance threshold get a time based password token. You must login first with your password, and then with the token number.
Most financial sites used a hosted picture from their site that you choose to have displayed for your password logins... This helps reduce the risk of phishing losses.
This is a bit of a loaded question, but what precautions can be taken to make sure AJAX requests are more secure. An example would be a reddit style voting system where users either up-vote or down-vote an article or comment.
I need to make sure bots or users can't make more than a certain amount of requests during a time period and voting URLs can't be guessed (to thawte bots).
I did have a look at similar questions, but the ones I checked did not answer the concerns I have above.
If there anything else that I should be aware of, then please mention it.
Use session and IP logging technique.
Like from a particular IP how many votes can be done in one day (or period of time ).
You can valid IP and session at server side.
You can also o/p your js using any server side language to insert some secure (random digits ). Like as we do to avoid Form spoofing.
Ajax security is not different from synchronous form submit security.
Are your users going to be logged into your website? (I'm the one geek in the world who doesn't read reddit, so I don't know how that works.
If they're logged in, you should be able to read their credentials in your web service, and track how many votes they've made. And if they're not logged in, then just reject their vote altogether.