Recently installed a SSL Certificate on my webserver for our new website. Now I'm building the website and want to use ogp.me, but they only offer a non SSL http link.
Will this affect the security of my website?
Our website does not have any 'secrets' or sensitive information, only a contact form.
If <html prefix="og: ogp.me/ns#"> is your only http reference, then no, that link will not affect your security.
In fact, that link is really an Open Graph namespace declaration, that is it's just the name of a namespace, not an URL at all even if it looks exactly like one.
Related
I have a Flask API which has no database but just a json file that stores the data. At the moment I have put it on an EC2 and opened a port so someone can put in the IP address and port and have access to the API that way. The problem with this is that I get a mixed content error since the site it uses is HTTPS and the API is HTTP. I want to put the API behind HTTPS on a proper platform but I'm not sure where to start.
Is there a platform that I can host the API python file and the json file behind an HTTPS?
All of them? EC2 allows HTTPS (per #tawfikboujeh's comment). I don't actually know a hosting platform that would allow HTTP but not HTTPS.
There are some options in how you accomplish this:
Use a self-signed certificate. This will give you HTTPS but all the modern browsers will give a nasty warning to all your visitors.
Purchase a signed certification for you IP address from a CA. Just hope you don't have to change your IP address.
Purchase a domain and use Let's Encrypt to generate a signed certificate for you.
Option 3 would be the most robust solution, but it does carry the cost of a domain (maybe $10/year).
Google App Engine is perfect for this. SSL cert is free, and you would be in their free tier.
https://cloud.google.com/free
My cert appears to be valid but on the registration page I see an insecure connection warning. Other pages of the site are secure.
Check the console in your browser (F12) for warnings. You probably have resources (CSS/ scripts/ images) served over insecure HTTP on that page.
There should be three cases for your query:
You are using single domain ssl certificate that secures only one
domain and your registration page is running on sub domain or other
domain name.
Solution:
If your page is running on other domain name either sub domain or totally different domain name and if requirement to secure only that domain name then take other single domain SSL certificate to secure only registration page.
You have not enabled SSL certificate for registration page.
Solution:
Enable SSL certificate for your registration page,if you forgot to include that page. Also use jitbit ssl tool to find that are there other http urls remain on which the same SSL has not enabled. If found any then enable SSL on them too to avoid mixed content warning.
Some Content (like images, url etc.) of registration page is on http
page.
Solution:
Checkout reference link how to deal with secure and non secure content warning.
How to restrict access to GitHub Pages with client side SSL certificate?
For example, I want to have https://username.github.io/ for public access, and https://username.github.io/secret_place for only connections with ssl client sertificate.
Is it possible? If yes, how to configure it?
Github pages is a static site only, and does not support any server-side code https://help.github.com/articles/what-is-github-pages/
Essentially github pages are static site hosts only, and do not include routing rules, or any verification of client certificates.
I can't say with certainty but I'm pretty sure this isn't possible in github pages. It isn't really the github pages designed use case.
Is there anything wrong with configuring a webserver to map SSL traffic (port 443) to the same document root as normal traffic (port 80)?
Using the same document root for both http and https means you need to implement the following:
On each page that needs to be secure, there needs to be some application code that redirects the user to the https version if they somehow got to the http version (or to rediect the user to the login page if they have no session).
The login page always needs to redirect to the https version.
For pages that are accessible via both http and https, you need to set a canonical URL to ensure it doesn't appear like you have duplicate content.
Is there a better way to configure encryption of user account pages? Is there a best practice to separate website into HTTP and HTTPS sections?
It's not necessarily wrong to do this, but as your points 1..3 show, it introduces complications. It seems to me that setting up a separate document root might be a lot simpler than working around the complications.
In Internet Information Server 7.X you can define a "secure path" which is require to access with HTTPS and you can redirect the user to a user-friendly error page.
Maybe this can be a good solution to mix the document root and keep parts of the application secured.
Redirecting http automatically to https allows for man-in-the-middle attacks and is therefore not recommended. A man-in-the-middle could manipulate your HTTP traffic to send you to a malicious HTTPS site that resembles your HTTPS content.
I have a website with only home page available through simple HTTP protocol.
All other pages are accessible only through HTTP over SSL(https://).
I'm using CDN for home page and very happy with it.
But for me it looks like using CDN for https pages is impossible because of security warnings, especially in IE. My files hosted at CDN are accessible though simple HTTP protocol.
What should I do? How this problem can be solved?
You need to get a CDN that supports serving files over HTTPS, then use that CDN for the SSL requests.
You can do this if their boxes have HTTPS support. What you can't do is use a subdomain of your own domain to cname against the cdn network. Because SSL doesn't work this way.
so https://cdn.tld/mydomain/path/to/file as a mechanism does work (because browsers will verify the cdn.tld ssl certificate correctly)
but https://cdn.mydomain.tld/path/to/file will not.
Two options, but in general I'd redirect all pages that don't need to be SSL'ed to their non-SSL equivalent and only use SSL when necessary.
Get a SSL certificate for your CDN host. It's just 30 bucks/year, but you need to take into account that this requires more configuration and depending on the traffic, this is also more expensive because the server requires more resources for SSL'd connections.
For the relevant pages, store the CSS/images/js files "local" on your own SSL host and use them when you need SSL. Of course you loose the speed etc. from the CDN, but that's a trade off. We opted for this because just our signup is SSL, 99.9999% of the time users spend on our website is on non-SSL links.