While I'm working with webpack-dev-server, I found a configuration called disableHostCheck. I am new to React and frontend development and I really like to know that What is host checking when to bypass hosts checking and why react developers should aware of that?
Disable Host checking prevents DNS rebinding attacks and a good explanation can be found here.
When disableHostCheck is disabled (sorry for the double negation, simply when host checking is enabled) same-origin policy is enforced. Which means when a script is run, the browser verifies whether the source of the script is in the same domain where the app is hosted.
We need to bypass host checking especially when an app is hosted locally and the app refers scripts hosted in other domains
Web pack documentation can be found here
Related
I would like to debug my Google App Engine (GAE) app locally but without using localhost. Since my application is made up of microservices, the urls in a production environment would be along the lines of:
https://my-service.myapp.appspot.com/
But code in one service can call another service and that means that the urls are hardcoded. I could of course use a mechanism in code to determine whether the app is running locally or on GAE and use urls that are different although I don't see how a local url would handle the since the only way to run an app locally is to use localhost. Hence:
http://localhost:8080/some-service
Notice that "some-service" maps to a servlet, whereas "my-service" is a name assigned to a service when the app is uploaded. These are really two different things.
The only possible solution I was able to find was to use a reverse proxy which would map one url to a different one. Still, it isn't clear whether the GAE development SDK even supports this.
Personally I chose to detect the local development vs GAE environment and build my inter-services URLs accordingly. I feel it was a well-worthy effort, I've been (re)using it a lot. No reverse proxy or any other additional ops necessary, it just works.
Granted, I'm using Python, so I'm not 100% sure a complete similar Java solution exists. But maybe it can point you in the right direction.
To build the per-service URLs I used modules.get_hostname() (the implementation is presented in Resolve Discovery path on App Engine Module). I believe the Java equivalent would be getInstanceHostname() from com.google.appengine.api.modules.
This method, when executed on the local server, automatically provides the particular port the server listens to for each service.
BTW, all my services for an app are executed by a single development server process, which listens on multiple ports (this is, I guess, how it can provide the modules.get_hostname() info). See Running multiple services using dev_appserver.py on different ports. This is part I'm unsure about: if/how the java local dev server can simultaneously run multiple services. Apparently this used to be supported some time ago (when services were still called modules):
Serving multiple GAE modules from one development server?
GAE modules on development server
This can be accomplished with the following steps:
Create an entry in the hosts file
Run the App Engine Dev server from a Terminal using certain options
Use IntelliJ with Remote debugging to attach the App Engine Dev server.
To edit the hosts file on a Mac, edit the file /etc/hosts and supply the domain that corresponds to your service:. Example:
127.0.0.1 my-service.myapp.com
After you save this, you need to restart your computer for the changes to take place.
Run the App Engine Dev server manually:
dev_appserver.sh --address=0.0.0.0 --jvm_flag=-Xdebug
--jvm_flag=-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8000
[path_to_exploded_war_directory]
In IntelliJ, create a debug configuration. Use the Remote template to create this configuration. Set the host to the url you set in the hosts file and set the port to 8000.
You can set a breakpoint and run the app in IntelliJ. IntelliJ will attach to the running instance of App Engine Dev server.
Because you are using a port during debugging and no port is actually used when the app is uploaded to the GAE during production, you need to add code that identifies when the app is running locally and when it's running on GAE. This can be done as follows:
private String mServiceUrl = "my-service.my-app.appspot.com";
...
if (SystemProperty.environment.value() != SystemProperty.Environment.Value.Production) {
mServiceUrl += ":8000";
}
See https://cloud.google.com/appengine/docs/standard/java/tools/using-local-server
An improved solution is to avoid including the port altogether and not having to use code to determine whether your app is running locally or on the production server. One way to do this is to use Charles (an application for monitoring and interacting with requests) and use a feature called Remote Mapping which lets you map one url to another. When enabled, you could map something like:
https://my-service.my-app.appspot.com/
to
https://localhost:8080
You would then enable the option to include the original host, so that this gets delivered to the local dev server. As far as your code is concerned it only sees:
https://my-service.my-app.appspot.com/
although the ip address will be 127.0.0.1:8080 when remote mapping is enabled. To use https on local host however does require that you enable ssl certificates for Charles.
For a complete overview on how to setup and debug microservices for a GAE Java app in IntelliJ, see:
https://github.com/JohannBlake/gae-microservices
I just when trough this tutorial about Using
Firebase and App Engine Standard Environment in an Android App
It was grate but I wonder now can anyone upload and replace my servlet code. Like do I need to set up some firewall somewhere. I read the docs
about
Using Networks and Firewalls
but I cannot see any hands-on how to apply this, it´s really advanced and if someone could break it down, what I need to do to only allow me to access the code.
I´m a bit new to this but when working with this tutorial
Build an Android App Using Firebase and the App Engine Flexible
Environment
I got this email from CloudPlatform-noreply saying I must maintain a Firewalls :
Dear Developer, We noticed that your Google Cloud Project has open
project firewalls. This could make your instance vulnerable to
compromises since anyone on the internet can access and establish a
connection to the instance. The following project has open firewalls:
Playchat (ID: playchat-4cc1d) Google Cloud Platform provides the
flexibility for you to configure your project to your specific needs.
We recommend updating your settings to only allow access to the ports
that your project requires. You can review your project's settings by
inspecting the output of gcloud compute firewall-rules or by visiting
the firewall settings page on the GCP Console. Learn more about using
firewalls and secure connections to VM instances.
What do I need to be afraid of here - what does "since anyone on the internet can access and establish a connection to the instance." really mean?
I want my Firebase signed in users to be able to access only
Source code deployment
The only people that can deploy source code to your app are ones that you've given access to in the IAM permissions pages in the Cloud Platform Console. People there need Owner or have the specific role of "App Engine Admin" or "App Engine Deployer".
Connecting to your instances
If you are using the App Engine standard environment there are no virtual machine instances. The standard environment is purely a platform as a service, not your typical hosting environment with servers.
If you are using the App Engine flexible environment, your code does run on virtual machine instances. However, those instances by default are locked down. You can enable SSH for debugging purposes. These connections however use the tokens via your authorized gcloud installation to connect. All this is just to say, that by default your instances are locked down and even in the debug mode they are still pretty secure.
Overall, your code is secure by default. Protecting your resources is actually probably more about protecting your Gmail account and thus its connected resources like your Cloud Platform projects. Protect your account with two-factor authentication, don't give people more access to your project than they require, and lastly don't enable debugging unless you need it and even then close it down when you're done.
I was able to configure SSL for .pl to serve my appengine app over https.
My application always require https. For testing purposes I would like to be able to serve another version of my app (one that I have already uploaded). However, going to <app version>.<my domain name>.pl doesn't seem to work (I was able to do this before enabling SSL).
I purchased another SSL cert, for www.<app version>.<my domain name>.pl and configured it similarly how I configured the SSL cert for the naked domain. The problem is that under assigning urls it says "no matching urls" and doesn't allow me to enter a url.
EDIT: Turns out I can sort of achieve this by going to my apps https://..appspot.com if I disregard browser warning. Works for testing purposes fine to my mind.
To the extend I understand your question, you might be suffering from WWW and NON-WWW issue. You have configured your certificate for www...pl which should be configured on ..pl
Still it is not cleared. I can help you more accurately if you can elaborate your question.
In silverlight5 beta, it supports trust application which allows loading local files. I tried and it works fantastic in both OOB and in browser mode. One question is that, when put my cap on the server, it works fine in OOB mode but doesn't work in browser. I think debugging locally and deployment is different. Is there a way to request the trust in browser as I tried locally?
Thanks,
Howard
There are a number of steps needed:-
The XAP needs to be signed using a code-signing certificate
Then on the client machine
A tweak to the registry on the client machine that needs to run a trusted app inbrowser
The code signing certificate then needs to be installed on the client machine.
Those last two in a real world deployment would be configured using a Group Policy.
See the Beta document topic How to: Enable Trusted Applications to Run Inside the Browser.
I am using a silverlight with wcf and when I use the .web project then it runs but when use the silver light project to run the following exception throws:
An error occurred while trying to make a request to URI 'http://localhost:9000/Services/BLWCFSvrc.svc'. This could be due to attempting to access a service in a cross-domain way without a proper cross-domain policy in place, or a policy that is unsuitable for SOAP services. You may need to contact the owner of the service to publish a cross-domain policy file and to ensure it allows SOAP-related HTTP headers to be sent. This error may also be caused by using internal types in the web service proxy without using the InternalsVisibleToAttribute attribute. Please see the inner exception for more details.
I want to use the silverlight project to debug my code
Thanks in advance
In order to access network resources from Silverlight, the domain hosting the resource must provide a client access policy file; this is designed this way for security reasons. See here for details: http://msdn.microsoft.com/en-us/library/cc645032%28VS.95%29.aspx
I think your problem is different that just having the clientaccesspolicy.xml, the fact that it runs under the web project, means that you are delivering policies, if you have those added as seperate files under the web project then they wont be deployed when you run the SL3 app seperately, but im sure you figured this out and you're delivering the policies via WCF using webHttp binding (RESTful style), if not, you should.
I think the problem is that when you run the webproject, it builds to your local IIS and executes from there, IIS will allow the SL3 app to communicate with ports/addresses different from the ones that the site is hosted on
when you run SL3 app natively, VS2008 auto generates a test html site for it to be hosted in with some default settings, and uses VS2008 built-in hosting service, which does not allow communication to an address/port different from that of the hosting address. (even though Silverlight is a client side library, VS2008 can do this)
so if you want to run the Silverlight application natively, meaning actually executing the XAP, you can deploy it to IIS, and configure IIS to deliver XAP files, or just install it and run it out of browser and let it update from IIS the deployed version
Just copy a clientaccesspolicy.xml file (for an example take a look at this post; you can even use this sample) into the root of your webserver (eg: c:\inetpub\wwwroot\).
This should help.