We have web site and API and their URL as http://example.com/?api=xxxxxxxxx
suppose we apply https on our domain and server then it would effect our existing web sites and API and can both protocol can work.
Yes, switching to HTTPS may potentially affect your existing API customers. However, it depends on:
Whether you'll force HTTPS or not
How developers interacts with your API
If you force HTTPS, you'll likely setup a redirect from HTTP to HTTPS. If the clients are not designed to follow redirects (in general simple clients are not), then your customers will start noticing 301 or 302 redirect status codes rather than 200.
In this case, the option could be to add HTTPS and deprecate HTTP. Keep HTTP and HTTPS in parallels for a while, long enough to inform your customers to move to the HTTPS version.
Related
I'm serving my site through nginx. For securing it, I have added ssl certificate and made it compatible with https protocol.
Now when I do request data from the site through browser while keeping ssl proxying on, whole request body and response body are showing there, so there is some loophole in my configuration and if it's not a loophole, I want it to be like giant company's site - facebook, apple etc. Where these ssl proxy tool can not parse the request and response.
If the client doesnt explicit show itself as a proxy (aka via X-Forwarded headers), is very hard to know for a server if any connection establishes proxied, Of course, out there are sophisticated methods to find these connections, like blacklists with common proxy sites, AI traffic algorithms, etc. but you will need massive amounts of data (that giant companies have) or specialized traffic services like cloudflare.
I was going through official documentation to enforce HTTPS in ASP.NET Core. There I found a warning -
Do not use RequireHttpsAttribute on Web APIs that receive sensitive
information. RequireHttpsAttribute uses HTTP status codes to redirect
browsers from HTTP to HTTPS. API clients may not understand or obey
redirects from HTTP to HTTPS. Such clients may send information over
HTTP. Web APIs should either:
Not listen on HTTP.
Close the connection with status code 400 (Bad Request) and not serve the request.
What I know about [RequireHttps] attribute is It set 302 Found code and a redirect url. something like this -
GET http://api.example.com/values
302 Found
Location: https://api.example.com/values
On the other hand, official documentation recommends to use -
HTTPS Redirection Middleware (UseHttpsRedirection) to redirect HTTP
requests to HTTPS.
Uses the default HttpsRedirectionOptions.RedirectStatusCode (Status307TemporaryRedirect).
What I understood from this, it also redirects HTTP to HTTPS, with different status code 307.
To me they are doing similar thing. I don't clearly understand what benefit I am getting using HTTPS Redirection Middleware (UseHttpsRedirection) over RequireHttps Attribute. What I am missing here ?
I was going through official documentation to enforce HTTPS in ASP.NET Core.
What I know about [RequireHttps] attribute is It set 302 Found code and a redirect url.
On the other hand, official documentation recommends to use HTTPS Redirection Middleware (UseHttpsRedirection)
To me they are doing similar thing.
I suppose that the information you mentioned is from this official doc about "Enforce HTTPS in ASP.NET Core".
As we know, for Web APIs scenario, API client (consumer/caller App) could be not browser client, which would not understand or obey redirection from HTTP to HTTPS via HTTP status codes. We should avoid our API endpoint response client with redirection status codes, so as warning part suggested "Do not use RequireHttpsAttribute on Web APIs that receive sensitive information".
And in warning part it also shows two approaches to reject insecure HTTP requests for Web APIs: 1) not expose HTTP endpoints; 2) return an error code. In my view, talking about "reject insecure HTTP requests for Web APIs scenario" is over here.
Besides, we should note that topic of this doc is about redirecting HTTP requests to HTTPS in ASP.NET Core, RequireHttpsAttribute could be applied to specific controller/action(s), to enforce HTTPS for entire ASP.NET Core web apps, using HTTPS Redirection Middleware is recommended (not mean that we should use this Middleware to reject insecure HTTP requests for Web APIs).
There is an API. Earlier all request were made not via ssl connection (encription was used) - http://api.com/dosomething. Logic has changed now. Now it is a bit problem to change URL for all clients who are using this API. There is https version of the api site. Is it safe to redirect all requests http://api.com/dosomething to https://api.com/dosomething on server side (apache or nginx)? How it works?
Your API consumer transmits everything in the clear: All its data, authentication, etc. And on your new server you're redirecting to the "same" URL, just using https? The https connection now will be secure, but all of your data and authentication has long leaked.
As we don't know anything about your API consumer, technically it could be a web browser that honors "secure" cookies, e.g. it might not transmit the authentication in the clear. But still, all of the data will be out already. As you say that you can't update the clients, I'm assuming that you're not in this situation.
So: The answer is no, it's not secure. Retire the old API, keep track of anyone accessing it. Once they're few enough, notify them of discontinuing the http service so that they upgrade. Or stay unsafe - choose your poison.
I have two websites at the moment.
admin.example.com
api.example.com
The "admin" one has all the security headers recommended by https://securityheaders.io.
The "api" has none, which is deliberate. I know that this application will only serve JSON and is a relatively simple API.
Is this bad practise? Do the headers protect against any issues for a API-only site?
I already have HSTS headers set in both scenarios, which is obviously important.
It depends on requiremt of API ,if API is transactional then go with HSTS headers else don't .If API is not containing sensitive data then don't use it .
HTTP Strict Transport Security (HSTS) :
Let’s say you have a website named api.example.com and you installed
an SSL/TLS certificate and migrated from HTTP to HTTPS. But this isn’t
where the work stops. What if your website is still available over
HTTP? It would be utterly pointless, right? Many website admins
migrate to HTTPS and then forget about it without realizing this. This
is where HSTS enters the picture. If a site is equipped with HTTPS,
the server forces the browser to communicate over secure HTTPS. This
way, the possibility of an HTTP connection is eliminated entirely.
Is there anything wrong with configuring a webserver to map SSL traffic (port 443) to the same document root as normal traffic (port 80)?
Using the same document root for both http and https means you need to implement the following:
On each page that needs to be secure, there needs to be some application code that redirects the user to the https version if they somehow got to the http version (or to rediect the user to the login page if they have no session).
The login page always needs to redirect to the https version.
For pages that are accessible via both http and https, you need to set a canonical URL to ensure it doesn't appear like you have duplicate content.
Is there a better way to configure encryption of user account pages? Is there a best practice to separate website into HTTP and HTTPS sections?
It's not necessarily wrong to do this, but as your points 1..3 show, it introduces complications. It seems to me that setting up a separate document root might be a lot simpler than working around the complications.
In Internet Information Server 7.X you can define a "secure path" which is require to access with HTTPS and you can redirect the user to a user-friendly error page.
Maybe this can be a good solution to mix the document root and keep parts of the application secured.
Redirecting http automatically to https allows for man-in-the-middle attacks and is therefore not recommended. A man-in-the-middle could manipulate your HTTP traffic to send you to a malicious HTTPS site that resembles your HTTPS content.