The case in hand is as follows:
User hits a control on a website, website calls an API.
API does some logic, and shall then construct a post http request and redirect to another site.
User should view the redirected site.
Alternative solution i guess is for the api to return an object that the website can use to redirect.
Your kind suggestions and ideas
You should take a look at the HTTP/1.1 Status Code Definitions. Specifically section 10.3 "Redirection 3xx". It describes the available status codes, and you should be able to find a suitable one.
Example: 303 See Other
Your API would create a response with status code 303 and add a "Location" header that contains the address of the site you redirect to.
Related
I have a solution with two ASP.NET Core MVC projects. One project (Client) is making a request to the other (Server) using HttpClient. When the action in Server receives the request, I want to get the URL of the thing that sent it. Every article I have read purports Request.Headers["Referer"] as the solution, but in my case Headers does not contain a "referer" key (or "referrer").
When receiving the request in Server, how should I find the URL of the Client that sent it?
That is how you you get the referring url for a request. But the referer isn't the thing that sent the request. The referer gets set in the headers by the browser when a person clicks on a link from one website to go to another website. When that request is made by the browser to the new website the request will typically have the Referer header which will contain the url of the prior website.
The receiving server can't get the url of the "client" making the request, remember a typical web browser client isn't at any url. All the receiving server can get is the IP address of the client typically.
Since you have control of the client software, if you wanted you could have the client put whatever info you want in the header of the request before it's sent to the server and the server could then get that info out of the header.
If you're using HttpClient, then it is up to the site making the request to add that header. It isn't added automatically in this case. So: change the code - or request that the code is changed - so as to add the header and value that you expect. If you are proxying through a request, you might get the value from the current request's Referer header, and add that.
Even in the general case of a browser making the request as part of a normal page cycle, you can't rely on it: the Referer header is often deliberately not sent; depending on the browser version, configuration, whether you're going between different domains, whether it is HTTPS or not, and rel markers on a <a href=... such as "noreferrer".
Hi I am developing payment page using webapi2 and angularjs. my payment api contains field called redirecturl. redirecturl will be used when payment is successful user will be redirect to this page. I have created simple html page called redirectpage.html and it can be accessed as http://localhost:10963/redirectpage.html. My payment api works fine and i am getting success in response. I am able to redirect to http://localhost:10963/redirectpage.html but i am getting HTTP Error 405.0 - Method Not Allowed
The page you are looking for cannot be displayed because an invalid method (HTTP verb) is being used. May i know possible cause for this? Thanks in advance.
As you said, payment api sends a POST call to redirecturl, you should have some server side code in place, to accept POST calls. Plain html pages can accept only GET calls. If you want to redirect to plain html page, please check payment api's docs, how to redirect using query parameters in the url.
Recently I have attended a training in mvc. The trainer said that - As per the security concerns we have to use HttpPost instead of HttpGet. Always use HttpPost.
Can anyone explain - what is the security issue when we use HttpGet?
When transmitting data over secure connection (https) body of the post request is encrypted and practically undreadable, you can only see address where data is going but not the data itself. Get on the other hand has no body and data has to be transmitted in either query string or as a path parameter. While it is true that query string does get encrypted as well, due to request logging on the server and browser it is possible to get hold of that data.
Anyone can insert image on public forum or stackoverflow with link to your web-site. Then happens next:
Browser looks at url in image tag
Browser find cookies corresponding to domain in url
Browser sends request to url with cookies of user
Your server performs action
Browser tries to parse response as image and fails
Browser renders error instead of image
But if you mark your action as Http Post only then this scenario isn't applicable for 90% of sites. But you should also consider that if hacker can create a form on other web-site then he still can make browser to perform request. So you need CSRF. Well, browsers made a lot to prevent cross-site requests, but it's still possible in some scenarios.
EDIT:
Maybe a better tl;dr version of my question (my brain is a little mashed)...
Either (ideally): Can I detect a referral URL with an off-domain 302 redirect?
Or: Can I detect that a 302 redirect was used to access my website?
EDIT 2 (from suggestion):
Request.UrlReferrer doesn't work in this situation, it returns as simply "https://www.google.co.uk/". I was expecting perhaps the referring URL of www.google.co.uk?url=maliciouswebsite.com - but sadly not.
A malicious website appears in Google. The link in Google points to www.maliciouswebsite.com - however when you click the link, you get sent to www.mywebsite.com.
So people google "MaliciousWebsite" and find their way to MyWebsite. I did a DNS check on maliciouswebsite.com and it has been 302 Redirected to mywebsite.com.
What I'm trying to do is "If the request is a 302 redirect sent from MaliciousWebsite.com - do not show my website".
I need a way of identifying that the request originated from MaliciousWebsite in some way.
Hope that makes sense!?
I assume you are using ASP.NET since you tagged the question as C#.
Well, ASP.NET offers a property that give you the address of the page where the request to your page originated from.
Try to use
Request.UrlReferrer
http://msdn.microsoft.com/en-us/library/system.web.httprequest.urlreferrer(v=vs.110).aspx
I am working on a "A proxy site" all the code is ready but i have a problem, when a user enters the url directly into my site it gets processed and loads from the proxysite but I if he clicks a hyperlink it from the website and not from mine, what i need is a way of how i can redirect the url through my site, is it possible ?
eg:
Foxyproxy when you enter www.google.com it loads the site through it, and when you search something it still loads the result page through foxyproxy, what i cant do is load the result page or any other sub-page through my site.
Thanks and Regards :)
You will need to read the entire response from third-party external site and replace all links, header Locations, and other external URLs with your proxy site URL appending the original URL as a URL parameter (or however you get the requested page from the HTTP request: GET param, URL routing, etc.). Then send the modified result to the client.