I want to set request headers in my Katharsis Client which is connecting to one of the JSONP based API. I dont see options for the same any where.
Related
I am trying to add restricted header(expect-100-continue) to postman post request since I have a huge payload. I did some research and found out that postman ignores restricted headers like(expect) even if you add it to header section.
So I downloaded postman interceptor extension as I read in documentation we can add restricted headers through interceptor, I was able to connect interceptor to postman following documentation but I couldn't find a way to add that header.
How would we add those restricted headers to postman to test?
Note: I just want to let you know backstory of this problem too. we deployed our rest application to azure app services with client certificate enabled. when we hit it with large payload, server is not responding, found out from Microsoft documentation that we have to set expect: 100-continue header if we are sending large payload. just want to test adding the header through postman and see if it works. Below is the link of Microsoft documentation
https://learn.microsoft.com/en-us/archive/blogs/waws/posting-a-large-file-can-fail-if-you-enable-client-certificates
I am fetching a GET API using the fetch command in react. When I run the production build, I can see the x-api-key in request header when I inspect in either Google/Firefox (network). This is the API key that my web app uses to make the request and I don't want it to get exposed in the browser's devtools. Any ideas on how to achieve this?
Fundamentally, you rewrite some stuff and proxy the request server side.
There is no way to hide the x-api-key header if you are directly making the request from the client. The only way is to make it from the server, then provide the results to the client.
I'm creating a headless API that's going to drive an Angular front end. I'm having a bit of trouble figuring out how I should handle user authentication though.
Obviously the API should run over SSL, but the question that's coming up is how should I send the request that contains the user's password: over GET or POST. It's a RESTFUL API, so what I'm doing is retrieving information meaning it should get a GET request. But sending the password over get means it's part of the URI, right? I know even a GET request is encrypted over HTTPS, but is that still the correct way? Or is this a case to break from RESTFUL and have the data in the body or something (can a GET request have data in the body?).
If you pass the credentials in a request header, you will be fine with either a GET or POST request. You have the option of using the established Authorization header with your choice of authentication scheme, or you can create custom headers that are specific to your API.
When using header fields as a means of communicating credentials, you do not need to fear the credentials being written to the access log as headers are not included in that log. Using header fields also conforms to REST standards, and should actually be utilized to communicate any meta-data relevant to the resource request/response. Such meta-data can include, but is not limited to, information like: collection size, pagination details, or locations of related resources.
In summary, always use header fields as a means of authentication/authorization.
mostly GET request will bind data in URL itself... so it is more redable than POST..
so if it is GET, there is a possibility to alive HISTORY LOG
Using ?user=myUsername&pass=MyPasswort is exactly like using a GET based form and, while the Referer issue can be contained, the problems regarding logs and history remain.
Sending any kind of sensitive data over GET is dangerous, even if it is HTTPS. These data might end up in log files at the server and will be included in the Referer header in links to or includes from other sides. They will also be saved in the history of the browser so an attacker might try to guess and verify the original contents of the link with an attack against the history.
You could send a data body with a get request too but this isn't supported by all libraries I guess.
Better to use POST or request headers. Look at other APIs and how they are handling it.
But you could still use GET with basic authentication like here: http://restcookbook.com/Basics/loggingin/
I have an api gateway installed that I'm trying to program against. Requests work when using apps like Postman but when I try to connect through code in the form of XMLHTTPRequests I get 401... No 'Access-Control-Allow-Origin' header is present on the requested resource. saying that the server doesn't allow cross site calls.
Maybe I'm not fully understanding how this works but it seems that apps like Postman circumvent this somehow. Whereas when I'm trying to access the api from a local file in my browser I bump into this problem.
Do I need to host the webpage I'm calling from to get this to work? Or am I missing something else here?
When the browser issues a XMLHTTPRequest, it checks if the origin (i.e. the domain) of that request is allowed by the endpoint to send requests. The check is done by a preflight request, i.e. a HTTP OPTIONS request which should provide a response containing a Access-Control-Allow-Origin header with the domain originating the request (or * to allow all domains).
Since this is a security measure of the browser, mainly based on the fact that browsing web pages the user may not know which requests are sent to which endpoints, Postman simply does not need to apply it because its requests are explicitly sent by the user himself.
https://developer.mozilla.org/en-US/docs/Glossary/CORS
https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request
…API/emailMessage/?emailId=test123
I have written the above URL using Web API to get the email in JSON data format(email body, sender, CC, To, etc).
Also, I have the requirement to allow download of email along with attachment for the same URL.
One way to do it is using content negotiation. I can use “MediaTypeHeaderValue("application/octet-stream")” to send the content as downloadable.
Question is….
1. Which parameter in the GET request the user should request for JSON content or download of content? Or what is the correct way of asking the content type from HTTP client?
2. On the server side I can read what content type the user is asking and send the appropriate data just using case statement. Is there anything to be considered on the server side in this scenarios?
Thank you,
Eric
The Accept request header is used to inform the server what media types the client supports. However, do not be concerned about adding a format= parameter to your URI to request a different format. It will not have a negative impact on your application.