Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Extends SSL To Developer-Facing APIs

Posted by timothy on from the scramble-your-bits-please dept.

Orome1 writes "Firesheep's authors can be the satisfied with the gradual migration towards SSL that most of the biggest social networks, search engines, online shops and others have embarked upon since its advent. Google, which has already taken care of its users and encrypted its Web Search, Gmail and Google Docs, has now turned its attention to the APIs used by developers."

1 of 34 comments (clear)

  1. Re:Belt and suspenders by wunderbus · · Score: 3, Informative

    If you're using Java servlets, you can include the following in your web.xml:

    <!-- Redirects all http requests to https. Does not send cookies with the redirect. -->
    <security-constraint>
    <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
    <web-resource-collection>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    </security-constraint>

    <!-- Prevents the application from appending the session ID to the URL.
    Also makes the session cookie secure-only, so that if the user has
    an active session then makes a regular http request to your site,
    the session cookie won't be sent with that request. -->
    <session-config url-rewriting-enabled="false" cookie-secure="true" />