I know that you need a secure https thingy to hose a valid app on. But if I just want to test some stuff, like how to make use of the social plugins from within a flash app and so on, do I need a secured url as well?
Or is there something like a testuser for that too, that doesn't care about this but let's me simply test the stuff?
Thanks for any help.
"All Canvas apps must process signed_request (fb_sig will be removed) and obtain an SSL certificate (unless you are in Sandbox mode)." Via: Facebook Dev Blog - https://developers.facebook.com/blog/post/497
Just set your app to sandbox mode. And you should be all set. Otherwise you could always look into a service such as this: http://www.social-server.com
This is no longer possible. Facebook now requires a HTTPS connection: the Secure Browsing option under Account Settings is no longer available.
Related
When creating a Messenger chat bot you must force people to subscribe to your page before they can use it.
To do this you need a Secure Callback URL, a standard http:// address won't do, it must be https://
I don't have a Secure Callback URL to my disposal. Can anyone recommend a site/way for me to get one?
You can configure your domain name with cloudflare to use it as a proxy between the user & your webserver.
You can enable their flexible SSL which is free of charge and very easy to configure. You can find more details here and here. I've recently configured my FB Chatbot webhook with cloudflare free SSL and it works pretty well.
Facebook recently changed the security settings on Account Configs, now there is no more an option to force, or not, an application to use HTTPS protocol.
Therefore, it isn't possible to do a App without a SSL key. Previously we could just don't fill Secure Canvas URL field, and access the canvas app through the HTTP protocol. But now, without the option in the security user config, the facebook app keeps redirecting to the HTTPS protocol.
So, there is some workaround for this ?
As CBroe says, you need SSL.
There are 2 things you need in my opinion:
A webserver with SSL.
IF you're in OSX and you run Apache, this tutorial really helps:
http://blog.andyhunt.info/2011/11/26/apache-ssl-on-max-osx-lion-10-7/, plus you might want to add your certificate as a trusted (root?) certificate, or certificate authority. (I'm not very well versed in this)
The only caveat I found, specially for Chrome, is that when you're generating the Certificate Request File, under Common Name place "localhost" or the host you're using for development. This last caveat should be similar in Windows, since it's a browser requirement that the certificate common name matches the actual host. Browsers like Firefox allows you to permanently trust a certificate, thus avoiding all the certificate installation on the OS and trusting.
A proxy app
proxy-like app to act as a man in the middle and decode the encrypted information, in order to see the actual requests and response being sent and received from the server. There should be other software, but the one I use and love is Charles Proxy, which can do this and tons more.
Hope it helps!
I have a relatively successful app in the app store that allows people to view metrics on their iDevice using a JSON file hosted on the their server. The app has a simple settings screen in which you simply type the URL of your JSON file and the app takes care of visualising the data in the file. I use AFNetworking for this.
For example the URL might be: http://www.mylargecompany.com/factorykpi.json
Customers are now coming back to me and asking for the ability to connect to their servers more securely. Problem is there is a myriad of ways you can secure your server.
I need some advice. What kind of standard security features would I need to build into my app. I am confused by OAuth, HTTPS, etc.
I believe OAuth would mean the customers server would have to use it? Can you make a generic OAuth login screen in an app or do you need to know which web server you are connecting to authenticate.
Any advice on even the most basic of security measure would be very welcome!
Regards,
MonkeyBusiness
Security is really a very broad topic. There is no short answer. In any case, both web service and client app need to implement security mechanisms. I would recommend, you provide both the web service and client app.
You likely need some user login with a password, "server verifies user identity" and "client verifies server identity" using certificates. Then you utilize HTTPS which ensures to transport confident data in a secure way. The web service should be implemented with one of the well known web application frameworks since security is a scary business, and tricky. Implementing everything yourself, might end in a suboptimal insecure application.
You should now read more about the complex topic and come back when you have specific questions.
... most basic would be to use https, which would secure the transaction, but anybody accessing the same link would be able to access the same data. Thus you will need some kind of authentication, starting with a simple secret key passed as POST request, username and password and/or via certificates.
How do you check if a domain has enabled the GData Provisioning API without trying to modify the domain?
The only way I have been able to find that will give an API failure response is doing something like trying to create a new user. This is obviously a terrible way.
The response when I request access through OAuth is the same independent of whether they have checked the domain setting. Get requests (like getting the domain's list of users) does not require this setting being enabled.
Since you're doing OAuth, you should have the email address of an admin whom your acting as. Try toggling that users ipWhitelisted flag. This flag is pretty much meaningless but you should probably flip it back if you succeed anyway.
https://developers.google.com/google-apps/provisioning/#updating_a_user_account
If you're open to adding additional OAuth scopes, consider adding the admin settings API scope and attempting to retrieve settings there, I'm pretty sure the read-only calls to Admin Settings API will fail if Prov. API flag is disabled in CPanel.
https://developers.google.com/google-apps/admin-settings/
My site will be using the APIs like Paypal and also making Facebook Apps. So lets say for Facebook, they allow only https for Apps to work with them. Mine is only hosted on http site.
So can i solve this problem by buying a Shared Hosting with SSL included?
Is it a solution? or do i need to buy my own Certificate?
I'm not having enough knowledge about SSLs. Any suggestion please.
There are a lot of providers, that offer an SSL certificate for your domain, on shared hosting. Normally they will handle the installation for you, not sure if you can install your own certificate. Some providers even offer to use their own certificate for free, you will have to use an URL like https://www.providerdomain.com/yourdomain/... though.
Apart from unserious offerings, you can distinguish between cheaper domain-validated SSL certificates and the more expensive extended-validation SSL certificates (EV).
Both certificates are technically the same (the connection is encrypted), but domain-validated certificates are cheaper, because the seller only has to check the domain. The EV-certificates also require information about the owner of the domain, and the seller should check, if this information is correct (more administrative effort).
In most cases the domain-validated certificate is fine, the user will have no disadvantages and the EV-certificates are really (too) expensive.
So can i solve this problem by buying a Shared Hosting with SSL included?
SSL on shared hosting usually implies that you can not access your own domain via SSL, but have to use something like https://youraccount.yourhostersserver.tld
That means, other users on your server might probably use that same domain in their apps, if they only rely on the shared SSL certificate as well. Let one of them spam on Facebook, and in the worst case scenario the whole domain yourhostersserver.tld might get blocked by Facebook.
Also, if a user gets into “direct contact” with your app’s website, they might see this URL as well (as long as you stay inside Facebook, canvas/page tab app, most users will probably not notice it).
So I would not really recommend this option; at least not for something that you consider halfway important.