1

We are developing an application in Angular2 and .NET CORE.

Our infrastructure is such that front-end part is hosted over https protocol and is exposed to external world, whereas services (.NET Core Rest APIs) are to be availed on servers accessible over http protocol.

Since in Angular 2, ultimately call to services is also made from client-end, client can either connect to https protocol or http protocol and as a result we get Mixed-content error (as observed in console in Google Chrome).

Is there a way where we can make sure in Angular 2 that call to services get initiated from web server (where angular2 is hosted) and not the client?

ekad
  • 14,436
  • 26
  • 44
  • 46
Navin Sharma
  • 11
  • 1
  • 4
  • why dont you force https, such that all request to http:// are redirected to https:// – Obed Amoasi Mar 05 '18 at 10:18
  • You can also try referring to [this](https://stackoverflow.com/questions/18839524/how-to-use-https-in-angularjs) link. – Kiran Rani Mar 05 '18 at 19:18
  • Thanks guys, But my problem is not consumption of https, I am able to consume https by specifying full URL Problem is services are not publically exposed for this Internet Application and hence in Production environment, when application goes live, if call to service gets initiated from client, it wont reach the server, hence I was looking for an alternative (if possible) to have the web server initiate the call to Services on App Layer. – Navin Sharma Mar 06 '18 at 09:15

1 Answers1

0

Just to clarify: A website will always use the user's browser to make a request to a client. This can be confirmed by sniffing things like the request's IP address. Using another computer to make a http call for you would be high dangerous and would likely come into the catagory of Remote Access Tooling, a form of system hacking. Imagine if you could query a bank's website and make the bank think you were hitting it from an internal computer!

It is on these grounds that you are able to add security such as blacklisting IP addresses based on Geography, or altering content (such as Netflix UK vs Netflix US etc).

If you want to implement a secure architecture I would recommend the following (this is what we do in an investment bank)

  1. Expose a few end points publically, this is what will be used to communicate from hte front end to the back end, and essentially bridge the gap.
  2. These servers can then make calls to your secured network and can hide any private network traffic.
  3. Return the data from the private network to the front end via the public end point.

Think of the public endpoints a a cloacking device, as it provides a controlled entry point which can be covered with defences like CORS, Authorisation and Authentication etc and also masks any objects back into public viewmodels.

Let me know if you want more information :)

adamturner
  • 101
  • 7