Hi,
I'm currently evaluating the cloud service in an asp.net app.
With regard to the httpcontext object that the getdeviceinfo method takes as a parameter, can you tell me:
Is the complete http request sent to the cloud?
Is this sent in plain text?
Is any of this data stored on the cloud?
I'm concerned that some customer/sensitive data could be exposed through use of the service. Is there any option to send just the user agent info if this is the case?
Http Request Security
Re: Http Request Security
Hi,
The HTTP headers from the request are passed to our cloud servers for evaluation in plain text. Using SSL would be an idea, but our experience is that performance suffers significantly due to the security handshaking. We store the request with some HTTP headers for quality control and for discovering new and improperly detected devices. Note that with the Premium level account, you can use memory-based caching, which will only send one sample HTTP request per unique user agent, so on a high-traffic site, the ratio of requests that are being sent to our servers could easily be 1:1000 or less.
If privacy is a serious concern, you should consider licensing our onsite, standalone product, which does not send any information back to our servers: http://www.scientiamobile.com/license
Edit
Also, please note that the following headers are explicitly discarded before logging:
COOKIE
X-FORWARDED-PROTO
X-FORWARDED-PORT
CONNECTION
CACHE-CONTROL
PRAGMA
HOST
AUTHORIZATION
The HTTP headers from the request are passed to our cloud servers for evaluation in plain text. Using SSL would be an idea, but our experience is that performance suffers significantly due to the security handshaking. We store the request with some HTTP headers for quality control and for discovering new and improperly detected devices. Note that with the Premium level account, you can use memory-based caching, which will only send one sample HTTP request per unique user agent, so on a high-traffic site, the ratio of requests that are being sent to our servers could easily be 1:1000 or less.
If privacy is a serious concern, you should consider licensing our onsite, standalone product, which does not send any information back to our servers: http://www.scientiamobile.com/license
Edit
Also, please note that the following headers are explicitly discarded before logging:
COOKIE
X-FORWARDED-PROTO
X-FORWARDED-PORT
CONNECTION
CACHE-CONTROL
PRAGMA
HOST
AUTHORIZATION
Thanks,
Steve Kamerman
ScientiaMobile
Make sure you check out our WURFL Cloud, WURFL InSight and WURFL InFuze products!
Steve Kamerman
ScientiaMobile
Make sure you check out our WURFL Cloud, WURFL InSight and WURFL InFuze products!
Re: Http Request Security
Hi Steve,kamermans wrote: Using SSL would be an idea, but our experience is that performance suffers significantly due to the security handshaking. We store the request with some HTTP headers for quality control and for discovering new and improperly detected devices.
Thanks very much for your prompt reply.
Just to clarify, if I'm dealing with a form post and the Cloud API only passes the http header, would I be correct in saying that the data from my form will not be sent in the API call? Apologies, I don't currently have access to the app to debug in Fiddler to see what's being sent across in the request. If no posted form data is included then I'm happy from a security perspective. Also, if you could clarify exactly what you store when you say "we store the request with some HTTP headers".
Also, is SSL a configurable option with the cloud solution?
Finally, does a method exist which just takes the User Agent info as an argument?
Thanks again for your help.
Re: Http Request Security
You are correct. In the case of a form, the variables are sent in the HTTP message body or the request URI, but they do not appear in the HTTP headers.would I be correct in saying that the data from my form will not be sent in the API call
Yes, here is an example of what we store:Also, if you could clarify exactly what you store when you say "we store the request with some HTTP headers"
Code: Select all
"headers" : {
"Accept-Encoding" : "gzip",
"User-Agent" : "Dalvik/1.4.0 (Linux; U; Android 2.3.2; LT15i Build/3.0.A.2.181)",
},
SSL is not currently available, but this is not the first time we have had a request for it, so we may choose to implement it in the near future (we'll post back here to notify you).
With a premium account, you can create a ScientiaMobile.WurflCloud.Request.WurflCloudRequest object, set its user agent and pass that to the DeviceInfo() method for evaluation.
Thanks,
Steve Kamerman
ScientiaMobile
Make sure you check out our WURFL Cloud, WURFL InSight and WURFL InFuze products!
Steve Kamerman
ScientiaMobile
Make sure you check out our WURFL Cloud, WURFL InSight and WURFL InFuze products!
Who is online
Users browsing this forum: No registered users and 4 guests