Redirect agent; Some information is only visible by hovering over the row or by changing the display settings. Some information may not be available on older logs. Log entries can be deleted by clicking the delete link, by using the checkboxes and the Bulk Action dropdown, or by clicking the Delete All button at the bottom of the page. 1.Typewrite-host 'Hello World' andpresstheEnter key 2.Type write-host -foregroundcolor yellow 'Hello World' 3.Get PowerShell to print in blue text on a yellow background? Redirect agent; Some information is only visible by hovering over the row or by changing the display settings. Some information may not be available on older logs. Log entries can be deleted by clicking the delete link, by using the checkboxes and the Bulk Action dropdown, or by clicking the Delete All button at the bottom of the page. 404bypass is designed to help you avoid 404 errors by generating a redirect file for your website. This is especially useful when a redesign leads to pages being assigned a new URL. 404bypass scans your old and new website, automatically compares the scan results and generates a list of redirects. It also allows you to manually match or add. Jul 07, 2020 Step 1: Use IIS Manager to remove the Require SSL setting from the default website. Open IIS Manager on the Exchange server. An easy way to do this in Windows Server 2012 or later is to press Windows key + Q, type inetmgr, and select Internet Information Services (IIS) Manager in the results.
Really Simple SSL automatically detects your settings and configures your website to run over https.
To keep it lightweight, the options are kept to a minimum. The entire site will move to SSL.
Always backup before you go! If you do not have a sound backup policy, start having one! See our recommendations.
Any code suggestions? We’re on GitHub as well!
Hopefully this plugin saves you some hours of work. If you want to support the continuing development of this plugin, you might consider buying the premium, which includes
some cool features.
Check out other plugins developed by Really Simple Plugins as well: Complianz, Zip Recipes and WP Search Insights.
contact me if you have any questions, issues, or suggestions. Really Simple SSL is developed by Really Simple Plugins.
Translations can be added very easily here. If you do, I can get you added as translation editor to approve the translations.
To install this plugin:
For more detailed explanations and documentation on redirect loops, deactivating, mixed content, errors, and so on, please search the documentation
On a site where the source consists of about 60.000 characters, the delay caused by the mixed content fixer is about 0.00188 seconds. If this is too much for you, fix the mixed content manually and deactivate it in the settings.
The plugin checks your certificate before enabling, but if, for example, you migrated the site to a non-ssl environment, you might get locked out of the back-end.
If you can’t deactivate, do not just remove the plugin folder to uninstall! Follow these instructions.
Most mixed content issues are caused by URL’s in css or js files.
For detailed instructions on how to find mixed content read this article.
If you are experiencing redirect loops on your site, try these instructions.
Yes. There is a dedicated network settings page where you can switch between network activated SSL and per page SSL. In the dedicated pro for multisite plugin, you can override all site settings for SSL on the network level, and can activate and deactivate SSL in the network menu for each site.
This post describes OAuth 2.0 in a simplified format to help developers and service providers implement the protocol.
The OAuth 2 spec can be a bit confusing to read, so I've written this post to help describe the terminology in a simplified format. The core spec leaves many decisions up to the implementer, often based on security tradeoffs of the implementation. Instead of describing all possible decisions that need to be made to successfully implement OAuth 2, this post makes decisions that are appropriate for most implementations.
Note: This post has been updated from the original 2012 version based on the current best practices of OAuth 2.0. The original version can be found here.
The client is the application that is attempting to get access to the user's account. It needs to get permission from the user before it can do so.
The resource server is the API server used to access the user's information.
This is the server that presents the interface where the user approves or denies the request. In smaller implementations, this may be the same server as the API server, but larger scale deployments will often build this as a separate component.
The resource owner is the person who is giving access to some portion of their account.
Before you can begin the OAuth process, you must first register a new app with the service. When registering a new app, you usually register basic information such as application name, website, a logo, etc. In addition, you must register a redirect URI to be used for redirecting users to for web server, browser-based, or mobile apps.
The service will only redirect users to a registered URI, which helps prevent some attacks. Any HTTP redirect URIs must be served via HTTPS. This helps prevent tokens from being intercepted during the authorization process. Native apps may register a redirect URI with a custom URL scheme for the application, which may look like demoapp://redirect
.
After registering your app, you will receive a client ID and optionally a client secret. The client ID is considered public information, and is used to build login URLs, or included in Javascript source code on a page. The client secret must be kept confidential. If a deployed app cannot keep the secret confidential, such as single-page Javascript apps or native apps, then the secret is not used, and ideally the service shouldn't issue a secret to these types of apps in the first place.
The first step of OAuth 2 is to get authorization from the user. For browser-based or mobile apps, this is usually accomplished by displaying an interface provided by the service to the user.
OAuth 2 provides several 'grant types' for different use cases. The grant types defined are:
Each use case is described in detail below.
Web server apps are the most common type of application you encounter when dealing with OAuth servers. Web apps are written in a server-side language and run on a server where the source code of the application is not available to the public. This means the application is able to use its client secret when communicating with the authorization server, which can help avoid many attack vectors.
Create a 'Log In' link sending the user to:
The user sees the authorization prompt
If the user clicks 'Allow,' the service redirects the user back to your site with an authorization code
You should first compare this state value to ensure it matches the one you started with. You can typically store the state value in a cookie or session, and compare it when the user comes back. This helps ensure your redirection endpoint isn't able to be tricked into attempting to exchange arbitrary authorization codes.
Your server exchanges the authorization code for an access token by making a POST request to the authorization server's token endpoint:
The server replies with an access token and expiration time
or if there was an error
Security: Note that the service must require apps to pre-register their redirect URIs.
Single-page apps (or browser-based apps) run entirely in the browser after loading the source code from a web page. Since the entire source code is available to the browser, they cannot maintain the confidentiality of a client secret, so the secret is not used in this case. The flow is based on the authorization code flow above, but with the addition of a dynamically generated secret used on each request. This is known as the PKCE extension.
Note: Previously, it was recommended that browser-based apps use the 'Implicit' flow, which returns an access token immediately in the redirect and does not have a token exchange step. In the time since the spec was originally written, the industry best practice has changed to recommend that the authorization code flow be used without the client secret. This provides more opportunities to create a secure flow, such as using the PKCE extension. Further reading: OAuth 2.0 Security Best Current Practice (ietf.org), OAuth 2.0 for Browser-Based Apps (ietf.org).
Create a random string between 43-128 characters long, then generate the url-safe base64-encoded SHA256 hash of the string. The original random string is known as the code_verifier
, and the hashed version is known as the code_challenge
.
Create a random string (code verifier), e.g. 5d2309e5bb73b864f989753887fe52f79ce5270395e25862da6940d5
Create the SHA256 hash, then base64-encode the string (code challenge): MChCW5vD-3h03HMGFZYskOSTir7II_MMTb8a9rJNhnI
(You can use the helper utility at example-app.com/pkce to generate a secret and hash.)
Create a 'Log In' link like the authorization code flow above, but now include the code challenge in the request:
The user sees the authorization prompt
If the user clicks 'Allow,' the service redirects the user back to your site with an auth code
You should first compare this state value to ensure it matches the one you started with. You can typically store the state value in a cookie, and compare it when the user comes back. This ensures your redirection endpoint isn't able to be tricked into attempting to exchange arbitrary authorization codes.
You can find a complete example of using PKCE in JavaScript in my blog post Is the OAuth Implicit Flow Dead?
Now you'll need to exchange the authorization code for an access token, but instead of providing a pre-registered client secret, you send the PKCE secret you generated at the beginning of the flow.
The authorization server will hash the verifier and compare it to the challenge sent in the request, and only issue the access token if they match. This ensures that even if someone was able to intercept the authorization code, they will not be able to use it to get an access token since they won't have the secret.
Like browser-based apps, mobile apps also cannot maintain the confidentiality of a client secret. Because of this, mobile apps also use the PKCE flow which does not require a client secret. There are some additional concerns that mobile apps should keep in mind to ensure the security of the OAuth flow.
Note: Previously, it was recommended that mobile and native apps use the Implicit grant. In the time since the spec was originally written, the industry best practice has changed to recommend using the authorization code flow with no secret for native apps. There are some additional recommendations for native apps that are worth reading as well.
Create a 'Log in' button sending the user to either the native app of the service on the phone, or a mobile web page for the service. Apps can register a custom URI scheme such as 'example-app://' so the native app is launched whenever a URL with that protocol is visited, or they can register URL patterns which will launch the native app if a URL matching the pattern is visited.
If the user has the native Facebook app installed, direct them to the following URL:
fb00000000://authorize
For servers that support the PKCE extension (and if you're building a server, you should support the PKCE extension), you'll also include the following parameters. First, create a 'code verifier' which is a random string that the app stores locally.
Note that your redirect URI will probably look like fb00000000://authorize
where the protocol is a custom URL scheme that your app has registered with the OS.
If the service does not have a native application, you can launch a mobile browser to the standard web authorization URL. Note that you should never use an embedded web view in your own application, as this provides the user no guarantee that they are actually are entering their password in the service's website rather than a phishing site.
You should either launch the native mobile browser, or use the new iOS 'SafariViewController' to launch an embedded browser in your application. This API was added in iOS 9, and provides a mechanism to launch a browser inside the application that both shows the address bar so the user can confirm they're on the correct website, and also shares cookies with the real Safari browser. It also prevents the application from inspecting and modifying the contents of the browser, so can be considered secure.
Again, if the service supports PKCE, then those parameters should be included as well as described above.
fb00000000://authorize
The user will see the authorization prompt
After clicking 'Approve', the user will be redirected back to your application with a URL like
Your mobile application should first verify that the state corresponds to the state that was used in the initial request, and can then exchange the authorization code for an access token.
The token exchange will look the same as exchanging the code in the web server app case, except that the secret is not sent. If the server supports PKCE, then you will need to include an additional parameter as described below.
The authorization server will verify this request and return an access token.
If the server supports PKCE, then the authorization server will recognize that this code was generated with a code challenge, and will hash the provided plaintext and confirm that the hashed version corresponds with the hashed string that was sent in the initial authorization request. This ensures the security of using the authorization code flow with clients that don't support a secret.
OAuth 2 also provides a 'password' grant type which can be used to exchange a username and password for an access token directly. Since this obviously requires the application to collect the user's password, it must only be used by apps created by the service itself. For example, the native Twitter app could use this grant type to log in on mobile or desktop apps.
To use the password grant type, simply make a POST request like the following:
The server replies with an access token in the same format as the other grant types.
Note, the client secret is not included here under the assumption that most of the use cases for password grants will be mobile or desktop apps, where the secret cannot be protected.
In some cases, applications may need an access token to act on behalf of themselves rather than a user. For example, the service may provide a way for the application to update their own information such as their website URL or icon, or they may wish to get statistics about the users of the app. In this case, applications need a way to get an access token for their own account, outside the context of any specific user. OAuth provides the client_credentials
grant type for this purpose.
To use the client credentials grant type, make a POST request like the following:
The response will include an access token in the same format as the other grant types.
The end result of all the grant types is obtaining an access token.
Now that you have an access token, you can make requests to the API. You can quickly make an API request using cURL as follows:
That's it! Make sure you always send requests over HTTPS and never ignore invalid certificates. HTTPS is the only thing protecting requests from being intercepted or modified.
OAuth 1.0 was largely based on existing proprietary protocols such as Flickr's 'FlickrAuth' and Google's 'AuthSub'. The result represented the best solution based on actual implementation experience. However, after several years of working with the protocol, the community learned enough to rethink and improve the protocol in three main areas where OAuth 1.0 proved limited or confusing.
You can read more about this in detail in my book OAuth 2.0 Simplified.
Previous versions of this post: