I have a laravel API. For those that don't know, Laravel uses method spoofing to deal with PUT and DELETE methods so it reads a POST call with _method=[PUT|DELETE] as a PUT or DELETE method.
We test our API with Postman. In postman I can send true DELETE and PUT calls to the server without having to spoof. Up until today both methods worked fine.
Today, our beta server will allow PUT / DELETE methods through but it strips the body parameters from it. This is ONLY happening on our beta server which leads me to believe it to be a server issue but nothing has changed on our server for months. Its CentOS 6.8 using Apache and php 7. The requests get through and then laravel promptly responds as if none of the body parameters exist, whether its a validation error or deleting everything instead of only a certain thing.
Related
I am integrating 3ds for spartacus. The payment provider requires a POST back from an iframe they serve. I post back to an endpoint in OCC. I have added the origin to the allow-from corsfilter.commercewebservices.allowedOrigins=http\://localhost\:4200 https\://localhost\:4200 https\://test.domain.com
The XSSFilter is blocking the request because of this configuration xss.filter.header.X-Frame-Options=SAMEORIGIN, this property is set in hybris platform. When I remove this property manually, the POST is working properly. When set it to an empty string (xss.filter.header.X-Frame-Options=) chrome rejects the requests because of an erroneous header.
How I can I remove this property in configuration, without manually removing the property every time the server restarts?
I am running locally at the moment, but should run on both ccv2 and on custom infrastructure. Hopefully without changes to the http server (nginx/apache) as this is part of a library that we want to publish for spartacus.
When Testcafe runs against our local site, every request it makes during the test steps are prepended with something like http://192.168.1.182:59304/http://localhost:3000 (port number varies per run).
For the most part this works, but our web application makes calls to certain APIs during a user journey, and within TestCafe they might look like: http://192.168.1.182:59304/http://www.example.com/api/v2/customers/1 which come back with a 401 and response body of 'unauthorized'. Some API calls are fine, however.
I guess my question is:
Are there any way to get around this from my side, such as rewrite certain requests, or do I need to contact the API provider - and if so, what would they be potentially looking to do to allow these requests to go ahead?
You have faced this issue: https://github.com/DevExpress/testcafe-hammerhead/issues/2344. It was fixed. Try to run your tests with the latest TestCafe version (1.8.8-alpha.3).
So I've been going through my forms recently to check my SQL queries are secure along with sanitizing any input and have just found that entering <? into a text box triggers a 403 before it even hits the processing file, I can only assume it must be related to mod_security??
My question is, is this something to just not worry about if it's controlled by the web host as I'm using shared hosting.
I recently ran into a problem with submitting form data via a GET request to the server after using jQuery's .serialize() function for the submitted variables. These were web apps that had worked flawlessly for years. It turned out that after a recent ModSecurity rule set update, I was triggering the 211700 (HTTP redirect) and 217280 (smuggling attack) rules in Comodo's WAF ruleset, which the server uses with ModSecurity. I wasn't getting a 403. My IP address got blocked by the firewall. :(
The fix was switching my AJAX code to use to POST instead of GET, and not using .serialize(). I still have some web apps that use .serialize() and GET requests via AJAX without triggering ModSecurity, so I believe it is also necessary to pass suspect characters, as you discovered, though in my testing, all I was using was parentheses.
Since you're on a shared server, it's probably not possible--or worth your time--to find out what rule set the host is using, so your best bet is most likely to switch your form submissions to using POST instead of GET, and not use .serialize(). I figure those rules are there for a reason, and a better approach is to avoid having my code look like it's doing something nefarious than to disable the rules.
I'm coding an app in PHP and I've had issues starting a tag subscription when I don't use HTTPS, I've tested both ways and would prefer to use HTTP if possible.
Has anyone else run into this and know of a solution?
Their documentation doesn't show the need for https. When I use HTTP I get the error
Unable to reach callback URL "http://...
My issue wasn't https vs http. It was my function that curls the post data. I rebuilt it and it works now.
A note for future people trying to use the Realtime API it returns zero data about the Instagram post which I find odd, why note include a post id at the very least. All it currently does is ping your server with data about your subscription effected. Its also worth noting to see that data you have to use this command in PHP
$igdata = file_get_contents("php://input");
Got a really strange problem here. When sending post requests to my PHP script
$_SERVER['REQUEST_METHOD']
returns "GET" instead of "POST".
It works fine for every other REST method
so this is what I get
GET -> GET
POST-> GET
PUT -> PUT
DELETE -> DELETE
It only happens on one of my servers so i'm assuming it's an apache problem and i've managed to figure out that it only happens if I add "www" to my url.
I.e
www.something.com
causes the problem but
something.com
does not
I have tested on different sites on the same server and I get the same thing so I'm assuming it's global config.
Any thoughts
As the HTTP spec says for response codes 301 and 302:
Note: For historic reasons, a user agent MAY change the request method
from POST to GET for the subsequent request. If this behavior is
undesired, the 307 (Temporary Redirect) status code can be used
instead
A third (but unlikely) possibility is you're getting a 303 response to the initial URI. The solution is twofold:
Configure the clients which are under your control to POST to the canonical URI so they are not redirected at all.
Configure your server to redirect using 307 in this case instead of 301/302.