We are getting the following error while trying to read some product details:
400The connection is not secure. API requests must be made via HTTPS.
URL We are calling IS over https:
https://api.bigcommerce.com/stores/[removed]/v2/orders?page=1&limit=50
Thoughts?
You can call https://store-XXXXXXXXX.mybigcommerce.com/api/v2/orders to get the order details
(This method uses Basic authentication and you have to replace the store name with your store name)
Related
Our institution is unable to get a response from jx-rl-proxy-jxapp.prod.ipaas.jha-sys.com. We are able to create an Oauth token with the https://ims.jhacloudservices.com token url. Our local Ip has been whitelisted but the url is not available.
Currently we are using Insomnia and Postman for testing with unsuccessful response from the jx-rl-proxy-jxapp.prod.ipaas.jha-sys.com url. We cannot ping successfully the jx-rl-proxy-jxapp.prod.ipaas.jha-sys.com url.
Apart from the IP whitelisting, make sure there is no proxy interfering with the traffic to the endpoint.
I need to perform one app that is signed in via login.microsoftonline.com, but I get this error "We can`t sign you in your browser is currently set to block cookies. you need to allow cookies to use this service." maybe someone else has experienced something similar.
I tried changing HTTP Cookie Manager type from standart to others, also I used CookieManager.save.cookies with true and false but nothing worked.
HTTP Cookie Manager
request
error
You're not supposed to have the request to login.microsoftonline.com as the very first request in your JMeter script.
My expectation is that you're trying to test an application which uses Microsoft Identity Platform as authentication provider so depending on your application auth flow you need to pass some parameters to this login.microsoftonline.com page and the parameters need to be extracted from the previous request.
So try starting with your application login page and I believe you should be redirected to the login.microsoftonline.com with valid cookies and appropriate parameters
I've been doing some HTTP methods and header research recently if we should use GET with basic authorization instead of POST when submitting?
HTTP Methods
The GET method requests a representation of the specified resource. Requests using GET should only retrieve data.
The POST method submits an entity to the specified resource, often causing a change in state or side effects on the server.
As we see here, the POST method normally changes the state of the server. If sending out JWTs/HTTP cookies, we are not modifying the state of the server. Nor are we creating a new resource in the server.
I understand that we should not not send the username and password as a GET parameter but should we use the authorization header instead?
Basic authentication
For "Basic" authentication the credentials are constructed by first combining the username and the password with a colon (aladdin:opensesame), and then by encoding the resulting string in base64 (YWxhZGRpbjpvcGVuc2VzYW1l).
Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l
The only advantage I see to using POST over GET is that we need no extra code in the HTML/JS on the client side to send headers via the fetch API. To send headers, we would need an onsubmit and then check if status code is 200. If 200, we will need to redirect to the page after the login screen. Then again, if using the fetch API, this means the server does not need to send a new HTML page to the client all the time either.
Should we use GET with basic auth or POST when logging in since we don't create a resource/modify the server state?
Would this change if say we enable 2FA since we would need to generate a code for that user?
Doing basic authentication in the browser and using GET is not that recommended.
To do your own login form it is better to always do it using HTTPS and POST. Do post the username/password in the body of the request and secure it with proper CSRF protection.
If you want to level up, you can always look at the OpenIDConnect approach, but that is more advanced depending on your needs.
Also, a good approach is to explore how existing site implement a login form and look at the HTTP(s) traffic in a tool like Fiddler.
I configured an Api using API management service in Azure, all the endpoints are working fine, I defined some rules into the inbound policies, the last one is a set backend service rule. the objective of this rule is redirect the request to a diferent endpoint based on certain conditions. The problem is as follow: If i test the api endpoint inside the Azure,using the the Test option provided by API managemen service all the proceess works fine, i can see into the trace and check how the Api Management service recieve the request, check the conditions definen into the inbound policy and finally change the backend url to the right endpoint. If test outside the Azure, for example using postman, the API management service response an 500 error, the description of the error is: Expression value is invalid. Value is not a valid absolute URL. () Section : (inbound) Source : (set-backend-service)
I found the issue and the solution. The problem was generated in the policies configuration. For some reason the base tag in the backend policy was deleted. Putting back the base tag all the endpoints works fine.
I have an endpoint on API Gateway that I want to make it work with requests from Strip.com only. I have tried adding stripe.com on Access-Contril-Allo-Origin* as it shown below but does not seem to be working at all.
How do I set CORS on API Gateway?
CORS only applies to requests made from a browser. It doesn't apply if you're trying to protect, for example, a webhook URL that you want Stripe to send data to. The typical approaches here are either to include a shared secret in your webhook URL, or to configure a username & password, both of which Stripe support. Examples:
https://yourdomain.com/admin/webhook/6f637faa33a2116f410cfb12af2028a85d22fcf5
https://user:pass#yourdomain.com/admin/webhook/
The other protection here is that you can verify any event received by sending an API request to Stripe to retrieve that event:
https://stripe.com/docs/webhooks#verifying-events
I think you need to have the schema on the header, like, https://stripe.com as Access-Control-Allow-Origin