Page indexing problem with Google search console - javascript

Recently, I created my first website and registered at Google search console.
The address is https://www.chemjix.com. However, as I always landed on the insecure http address when entering just www.chemjix.com in the address bar, I use the index.html to forward to https and directly to the correct language (English or German). After adding the website to Google search console, I got the message for the http that it is not indexed because of "Soft 404 Website" and "Page with redirect".
Is that a problem and does Google therefore rank my website lower or something like that? And what would be the alternative, do I need to get rid of that redirection?
Thanks a lot
celdri

You should use your hosting provider's tools to setup your domain correctly. You should use only https, as these days this is a must have for websites.
Most providers have some kind SSL or integrated the free Let's Encrypt solution for a real free for life SSL.
If you have a working site in https, you may use the hosting provider's own solution (like in Cloudways for example we have a swith) to redirect every URL to https, or you should use .htaccess redirect rules.
You also can additionally take advantage of Cloudflare not just to domain managament and caching, but to setup, and handle and check full SSL route from user to server.

Related

Google Authentication resulting in origin_mismatch error.

I have done code for getting list of google analytics accounts
and its works fine with a static clientid
I have used this tutorial: Hello Analytics API: JavaScript quickstart for web applications
The problem is:
I want this functionality for all users means my users logged in from their Google Accounts and they all can see their Google Analytics accounts list.
However I am seeing an error: "origin_mismatch"
I want this without set origin because I can not set origin for all users.
Origin mismatch is normally caused by the Javascript origins incorect in the project on google developers console. Check and make sure that the Javascript origins match the domain from which your requests are coming and to which you are returning the user after login in.
Creating a Google API Console project and client ID
In the Authorized JavaScript origins field, enter the origin for your
app. You can enter multiple origins to allow for your app to run on
different protocols, domains, or subdomains. You cannot use wildcards.
In the example below, the second URL could be a production URL.
http://localhost:8080 https://myproductionurl.example.com
Answer: If you are using JavaScript you need to set the origin for the server that you are returning authentication to. There is no way around this. Just add your server and your users will be able to access it. There is no need to set it for each user. The origin is to your server hosting the script.

Ignore HSTS in Chrome app/extension

I'm writing a Chrome packaged app for diagnosing web services. I want to be able to send a GET request to a URL and look at the headers and data in the response.
My problem is if a users visits a site that has the HSTS header set before using my app, my app will then be unable send GET requests to the http:// URLs for that domain because Chrome will automatically convert the http:// URLs to https:// ones before the request is sent out.
Is there anything at all I can do to prevent this? I've looked into the webrequest API and webview tag but I'm finding nothing that lets me ignore HSTS.
Is it possible to use https://developer.chrome.com/apps/sockets_tcp for this (I would need to be able to support http, https and gzipped data)?
Is there anything at all I can do to prevent this?
Probably not. If you already tested <webview> and it shares the HSTS list with the browser, then the network layer will transparently rewrite this for you.
Is it possible to use chrome.sockets.tcp for this?
Technically, yes, HSTS shouldn't matter for that. Practically, you would need to implement something like wget+SSL+gzip from ground up (in JS, NaCl or a Native Host - but in the latter case you don't really need built-in sockets).

Error: origin_mismatch when authorizing embed API for Google Analytics

I'm trying to implement a statistics dashboard from google analytics in a 3rd party CMS and I'm running into some problems. I'm trying to use googles embed API to build my dashboard and run into this error when I try to authenticate my account:
Error: origin_mismatch
I have looked around for a solution and found out it was because of a missing www. pretty quick. The thing is that I filled out the right URL in googles developer console and still have no luck. Does anyone know how I can fix this to work properly?
Error: origin_mismatch
Application: CMEZ Analytics
You can email the developer of this application at: email#email.com
Request Details
=
from_login=1
response_type=code token id_token gsession
scope=https://www.googleapis.com/auth/analytics.readonly https://www.googleapis.com/auth/userinfo.email
redirect_uri=postmessage
cookie_policy=single_host_origin
proxy=oauth2relay482041337
include_granted_scopes=true
origin=http://cmez.eu
state=458516662|0.59538506
as=1d7def2550073266
client_id=[censored]
authuser=1
hl=nl
That’s all we know.
The origin_mismatch errror is probably caused by the Javascript origins not being set correctly in the Google Developer console for your project. The Javascript origins must match the domain from which your requests are coming and to which you are returning the user after sign in.
Note: A common mistake here is to add javascript origins for http:// but not https:// (or vice versa). You must also include the port number of your server in the javascript origins if a port number appears in the url.
Documentation info
In the Authorized JavaScript origins field, enter the origin for your
app. You can enter multiple origins to allow for your app to run on
different protocols, domains, or subdomains. Wildcards are not
allowed. In the example below, the second URL could be a production
URL.
http://localhost:4567
https://myproductionurl.example.com

Google Analytics - treat https and http as a single "property"

I have a site on which users are supposed to jump back and forth between protocols (http vs https). For example, they may land on https://example.com/index.html, and then click through to http://example.com/test.html.
In order to accurately gauge the user behavior flow on google analytics, I need to treat both of these protocols as one single property in my GA setup.
google, however, makes you select a single protocol when defining a new web property. What is the best way to handle this? Let's assume https is my default - how can I trigger a pageview from the http site and have it be counted towards the https site's analytics?
I know there is a forceSSL option, but there is not much documentation around that:
By default, Google Analytics will match the protocol of the host page
when sending outbound requests. To force Google Analytics to always
send data using SSL, even from insecure pages (HTTP), set the forceSSL
field to true
Will this accomplish what I'm looking to do? Sending the data via SSL does not necessarily correlate to them recording the data as an SSL event.
My understanding of this issue is the following:
As far as Google is concerned, your HTTP and HTTPS properties ARE two separate entities.
The only way to lump them together is to force the entire site to use SSL, thus removing the HTTP property.
If this is an option, it will have the added benefit of increasing your search ranking.

Shopping Cart with Backbone.js on HTTPS page issue?

just wondering if there could be any issue building a shopping cart using Backbone.js and more specifically if there were any security issues using hash-bangs over HTTPS?
Also I guess I can POST credit card details through AJAX, correct?
Cheers,
You still need robots.txt to keep your urls from being indexed, even if you're using HTTPS. The #! (hashbang) as opposed to # (hash) provides a way to index sites by their url fragment. Instructions for disallowing are on the google page about indexing hashbang. In practice you likely won't have to worry about it because google's crawlers aren't authenticated and won't index an error. But if a Google Toolbar is installed the URLs with fragments may be sent to Google before Google determines that the URL+fragment will not be indexed. To simplify things, you could use # instead of #! after logging in; a # deep link will not be indexed.
If a request is made through HTTPS, it's encrypted, whether it's AJAX or not. If your backbone model url starts with https://, it will either send it encrypted or fail. From a network eavesdropping perspective, it's the same as posting without AJAX.

Categories