Suppose my website is over HTTPS and I need to load a CSS or Object resource from HTTP, how can I do this?
Please note that I'm able to add Content-Security-Policy to the response headers over the HTTPS websites but I don't exactly know how can I do this. Can someone give me a solution?
There is no solution. Modern browsers will deny using non-https resources into pages served by https because you effectively undermine the security model of https this way. CSP will not help because it does not fix the issue. Your only choice is to either serve the site by http or to proxy includes from external non-https sites by your own site. But note that the latter option might affect the security model too, because now these external resources are seen as originating by the same domain as your own content and thus could misuse the same origin policy.
Related
I have two websites at the moment.
admin.example.com
api.example.com
The "admin" one has all the security headers recommended by https://securityheaders.io.
The "api" has none, which is deliberate. I know that this application will only serve JSON and is a relatively simple API.
Is this bad practise? Do the headers protect against any issues for a API-only site?
I already have HSTS headers set in both scenarios, which is obviously important.
It depends on requiremt of API ,if API is transactional then go with HSTS headers else don't .If API is not containing sensitive data then don't use it .
HTTP Strict Transport Security (HSTS) :
Let’s say you have a website named api.example.com and you installed
an SSL/TLS certificate and migrated from HTTP to HTTPS. But this isn’t
where the work stops. What if your website is still available over
HTTP? It would be utterly pointless, right? Many website admins
migrate to HTTPS and then forget about it without realizing this. This
is where HSTS enters the picture. If a site is equipped with HTTPS,
the server forces the browser to communicate over secure HTTPS. This
way, the possibility of an HTTP connection is eliminated entirely.
We have web site and API and their URL as http://example.com/?api=xxxxxxxxx
suppose we apply https on our domain and server then it would effect our existing web sites and API and can both protocol can work.
Yes, switching to HTTPS may potentially affect your existing API customers. However, it depends on:
Whether you'll force HTTPS or not
How developers interacts with your API
If you force HTTPS, you'll likely setup a redirect from HTTP to HTTPS. If the clients are not designed to follow redirects (in general simple clients are not), then your customers will start noticing 301 or 302 redirect status codes rather than 200.
In this case, the option could be to add HTTPS and deprecate HTTP. Keep HTTP and HTTPS in parallels for a while, long enough to inform your customers to move to the HTTPS version.
I have a CloudFront destro in front of my asp.net application, serving dynamic content. All cache periods are set and everything looks ok.
I am using cloudfront mainly to accelerate the site for international visitors.
I have a registration page on the site that uses SSL. I understand that I can't use my own SSL with cloudfront, but is there a way that I can tell cloudfront to point the user to the origin when they navigate to one of the HTTPS pages?
The urls on your secure page must use the https prefix or the browser will complain about mixed-mode content. This means that the requests have to start their lives as https ones. This makes redirection in the manner you suggest impossible.
Your best bet is to have logic in your pages that determines the host portion of your url and protocol so that if it's a secure connection, all your content urls are prefixed with the secure host/protocol in the form https://[cloudfront-secure-hostname]/[your content]
If the connection is not secure, you return your standard CDN hostname using http.
The only down side is that a user will see requests going off to a domain other than yours. This shouldn't be too much of a problem though.
Is there anything wrong with configuring a webserver to map SSL traffic (port 443) to the same document root as normal traffic (port 80)?
Using the same document root for both http and https means you need to implement the following:
On each page that needs to be secure, there needs to be some application code that redirects the user to the https version if they somehow got to the http version (or to rediect the user to the login page if they have no session).
The login page always needs to redirect to the https version.
For pages that are accessible via both http and https, you need to set a canonical URL to ensure it doesn't appear like you have duplicate content.
Is there a better way to configure encryption of user account pages? Is there a best practice to separate website into HTTP and HTTPS sections?
It's not necessarily wrong to do this, but as your points 1..3 show, it introduces complications. It seems to me that setting up a separate document root might be a lot simpler than working around the complications.
In Internet Information Server 7.X you can define a "secure path" which is require to access with HTTPS and you can redirect the user to a user-friendly error page.
Maybe this can be a good solution to mix the document root and keep parts of the application secured.
Redirecting http automatically to https allows for man-in-the-middle attacks and is therefore not recommended. A man-in-the-middle could manipulate your HTTP traffic to send you to a malicious HTTPS site that resembles your HTTPS content.
I have a website with only home page available through simple HTTP protocol.
All other pages are accessible only through HTTP over SSL(https://).
I'm using CDN for home page and very happy with it.
But for me it looks like using CDN for https pages is impossible because of security warnings, especially in IE. My files hosted at CDN are accessible though simple HTTP protocol.
What should I do? How this problem can be solved?
You need to get a CDN that supports serving files over HTTPS, then use that CDN for the SSL requests.
You can do this if their boxes have HTTPS support. What you can't do is use a subdomain of your own domain to cname against the cdn network. Because SSL doesn't work this way.
so https://cdn.tld/mydomain/path/to/file as a mechanism does work (because browsers will verify the cdn.tld ssl certificate correctly)
but https://cdn.mydomain.tld/path/to/file will not.
Two options, but in general I'd redirect all pages that don't need to be SSL'ed to their non-SSL equivalent and only use SSL when necessary.
Get a SSL certificate for your CDN host. It's just 30 bucks/year, but you need to take into account that this requires more configuration and depending on the traffic, this is also more expensive because the server requires more resources for SSL'd connections.
For the relevant pages, store the CSS/images/js files "local" on your own SSL host and use them when you need SSL. Of course you loose the speed etc. from the CDN, but that's a trade off. We opted for this because just our signup is SSL, 99.9999% of the time users spend on our website is on non-SSL links.