Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
This discussion has been archived. No new comments can be posted.

Google Extends SSL To Developer-Facing APIs

Comments Filter:
  • by mirix (1649853)

    Encryption is like bacon. The more the better.

  • by seifried (12921) on Thursday March 17, 2011 @11:50PM (#35525972) Homepage

    Since we generally can't just shutdown access to port 80 yet (people would just get errors and confused and angry) there are two methods you can use to transition clients to HTTPS. Use HTTP Strict Transport Security which will address newer clients like Chrome, ideally they access your site securely the first time and you essentially tell them "from now on use HTTPS" for a specific amount of time (the longer the better):

    Header set Strict-Transport-Security "max-age=15552000"
    Header append Strict-Transport-Security includeSubDomains

    The second will address current clients, but will not prevent things like firesheep. However it will hopefully result in people bookmarking your site with HTTPS and so on (take the spaces out between the slashes):

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https: / / %{HTTP_HOST}%{REQUEST_URI} [R=permanent,L]

    This should also in theory cause any incoming links from sites that generate them dynamically (e.g. search engines) to take the permanent redirect and update their links (so if someone searches for you and clicks on the link it'll be an HTTPS link)

    • Re: (Score:3, Informative)

      by wunderbus (1545573)
      If you're using Java servlets, you can include the following in your web.xml:

      <!-- Redirects all http requests to https. Does not send cookies with the redirect. -->

      <!-- Prevents the application from appending
  • by xophos (517934) on Friday March 18, 2011 @09:14AM (#35528712)

    Typing [] just brings you back to []
    Is it to hard to do, or does no one care here?

  • One of the long-standing shortcomings of App Engine was the lack of server certificate validation in the URL Fetch service. Google apparently took care of that [] as well.

Dead? No excuse for laying off work.