search

zowe / sample-spring-boot-api-service

Zowe REST API service SDK and sample API service that integrates with Zowe API Mediation Layer
Other
26 stars 18 forks source link

Cannot Bypass Privacy Error in Chrome for Swagger UI #64

Closed dkelosky closed 4 years ago

dkelosky commented 4 years ago

I'm not sure if there was a change in the repo or in Chrome, but when I attempt to see the swagger UI for a service deployed to z/OS in by browser I now get this error (which I can no longer bypass in Chrome):

image

Has there been some change to cause this?

dkelosky commented 4 years ago

I'll casually experiment why https://github.com/zowe/sample-spring-boot-api-service/blob/master/zowe-rest-api-sample-spring/src/main/java/org/zowe/sample/apiservice/config/WebSecurityConfig.java#L34 doesn't seem to take effect here.

plavjanik commented 4 years ago

The sample application should not set HSTS headers. If it does then it is a bug. I do not think that the sample does that. It can be set by another app running on the same host because this setting applies to the host and the port is ignored.

There are two options as a workaround:

  1. Remove the setting using the procedure in https://www.ssl2buy.com/wiki/how-to-clear-hsts-settings-on-chrome-firefox-and-ie-browsers
  2. Open a new incognito window in your browser

It would be good to find out what service sets it because. HSTS is a useful mechanism on production servers since it enforces HTTPS to be required by modern browsers. But it can be limiting on development systems since it forbids self-signed certificates and HTTP connections which can be useful during development.

dkelosky commented 4 years ago

Hi Petr,

Option 2 worked for me, but I don't really understand why. I'll close this in the meantime and later adjust my Chrome config.

Thank you, Dan