Many people have answered how to get the user-agent from a WebView, but I need the default user-agent that is normally sent in the http headers of an NSURLRequest. What is the best way to get that one?
Related
I have an iOS app where the user can makes HTTP requests from their phones and the HTTP returns information based on the zip code that the user provides through the phone.
My issue is that anyone can type the URL and the server would respond with the information that corresponds to the zip code they input e.g. http://example.com/zip-code/78515.
My questions is, can I limit the server to only respond to requests made from my iOS app without the user having to create a user and password? In other words, if someone types http://example.com/zip-code/78515 directly in a browser I want the server to ignore the request but if the request comes from my iOS app I want the server to respond accordingly.
For the HTTP request I'm using Laravel.
Here is my Laravel code.
Route:
Route::get('zip-code/{zipCode}', 'AppsAPIController#information');
Controller:
class AppsAPIController extends Controller
{
public function information($zipCode)
{
$info = CityInfo::where('ZipCode', $zipCode)->get();
return ($info);
}
}
Request:
http://example.com/zip-code/78515
Again, the question is, how can I limit the server to only respond to requests made from my iOS app without the user having to create a username and password?
This package seems to do that
https://github.com/spinen/laravel-browser-filter
Basically, you are adding a middleware that reads the user agent out of the request, and denies the rest.
There is no foolproof way to respond only to requests made by your app.
User agent sniffing, navigator feature detection, and like measures may deter most basic attempts to load information from that url (like search engine bots), but anyone with a little time can learn to replicate the HTTP requests made by your app, defeating those measures.
Even requiring a login will not prevent external request (they can send requests matching your login workflow to obtain a valid token, then request the restricted url with it).
(via the comments) I just don’t want to overload the server with unnecessary requests.
In that case, there's a much better solution. Laravel ships with a throttle middleware, which you can use to limit the number of requests per minute per IP (or per logged-in user, if they're authenticated).
Just add throttle:60,1 to your route's middleware and it'll max out at 60 requests per minute for a particular IP address. Set it to something relatively high (so normal use doesn't hit it), but it'll prevent millions of requests from the same IP from using up too many resources.
When the webhosting option is activated for an app in Back4App, getting a subdomain like http://someapp.back4app.io, if you access someapp.back4app.io http is used by default instead of https.
Regarding to this I only found https://blog.back4app.com/2017/11/09/parse-server-best-practices/ but that speaks only about checking via javascript the http/https protocol in every page/function/api-endpoint, and redirecting if it's not https, quite tedious.
Is there a way to globally redirect any http request to my Back4App pages to https?
I checked with the Back4app's Support Team and, in that case, it's possible to do only on Dedicated Plans. For more info, I kindly ask you to contact them.
I installed fiddler and made a GET request. It gives me what is returned from the server in header and cookies etc. Now I want to know the way to check (using fiddler) what is being posted to the server when I post a form (with some values in text boxes using firefox or any browser). Remember I am not seeking to know the way to compose a post request in fiddler. I want to know what browser sends to the server. Actually compose a post request is not working and it returns that same page which I post, so I want to know what browser is doing which I am unable to do?
Thanks in advance.
Click on the request that you wish to see in Fiddler, right click and select "Decode Selected Sessions".
If you're saying: "I don't see any traffic in Fiddler's Web Sessions list when sending a POST from Internet Explorer", you should follow the troubleshooting steps listed here: https://groups.google.com/forum/#!topic/httpfiddler/SsZnGxdxklg
If the target page is HTTPS, you need to ensure that you enable HTTPS decryption or you won't see anything other than the CONNECT tunnel through which HTTPS traffic flows.
Otherwise, if you do see the POST in the Web Sessions list, double-click it to activate the Inspectors tab. Use the Web Forms tab or the the Raw tab to see the data posted from the client application.
You might want to watch the Fiddler tutorial videos to quickly get up to speed on how to use Fiddler: http://www.youtube.com/playlist?list=PLvmaC-XMqeBbw72l2G7FG7CntDTErjbHc
We're developing an HTTP API for an iPad app, and we're thinking of only allowing the API to be accessed via an HTTP request that came from an iPad.
I'm not thinking of something like the User-Agent, because that can easily be forged, but more like some kind of authentication scheme that ties in with the App Store? Maybe the App Store signs each app with some kind of private key, and then you could insert that signature as a query parameter or header in the request and check on the server side whether the signature is from a legit iPad.
Is something like this possible or even a good idea?
If you control both the iPad app and the server app, you should be able to use PKI to validate that a request came from a legitimate app. Embed the public key in the app itself, use it to encrypt a value you put in a header field, and then use the private key on the server to decrypt and validate the received header value.
I would like to ask wheter the User-Agent property in the HTTP request header only sent via browser?
When I send a http/https request from a blackberry application, it seems there is no user-agent contains in the http header.
Thanks very much!
Also, if it is not possible to get the user agent from the request, are we able to get the user agent from Blackberry device?
Thanks!
No, User-Agent is not sent automatically if you use javax.microedition.io.HttpConnection from within your application.
Instead, use
HttpConnection con = (HttpConnection)Connector.open(myURL,
Connector.READ_WRITE, true);
con.setRequestProperty(HttpProtocolConstants.HEADER_USER_AGENT,
"MyBlackberryApplication/1.0");
...
If you need information about the device to send along the agent string, all of it (OS version, device etc.) is accessible via BlackBerry API: look at this class: net.rim.device.api.system.DeviceInfo
For unsigned j2me applications you can't set the user-agent and it will always be
UNTRUSTED/1.0
http://www.j2megame.org/j2meapi/JSR_271_Mobile_Information_Device_Profile_3_0/javax/microedition/io/package-summary.html
This behavior for the Unidentified
domain applications is specified in
the Mobile Service Architecture (JSR
248) specification
Yes, according to the Java document (javax.microedition.io
), it seems that user-agent is not automatically included unless you set it.
The application is responsible for
formatting and requesting that the
User-Agent field be included in HTTP
requests via the setRequestProperty
method in the interface
http://www.j2megame.org/j2meapi/JSR_271_Mobile_Information_Device_Profile_3_0/javax/microedition/io/package-summary.html
Turn the level from untrusted to maximum in WTK-Edit-Preference-Security-Security domain can be helpful to the "untrusted" user-agent problem in http requests.
For unsigned j2me applications you can't set the user-agent and it will always be UNTRUSTED/1.0