Why should someone block all methods other than GET and POST in a RESTful application?











up vote
7
down vote

favorite
1












TL;DR:



Is there a valid reason to demand a software vendor to stop using HTTP PUT and DELETE methods in a web application and use only GET and POST? The application is security hardened, pen-tested and powered by popular security frameworks.



In other words, if I allow deletion of a record via DELETE or POST by an authorized user (checking he has access to that record, auditing, etc), what is the difference from the security standpoint?



Full question



Our customer configured their Tomcat instance with the following, according to their corporate standard:



<security-constraint> 

    <web-resource-collection> 

        <web-resource-name>restricted methods</web-resource-name> 

        <url-pattern>/*</url-pattern> 

        <http-method>CONNECT</http-method> 

        <http-method>PUT</http-method> 

        <http-method>DELETE</http-method> 

        <http-method>OPTIONS</http-method> 

        <http-method>TRACE</http-method> 

    </web-resource-collection> 

    <user-data-constraint> 

        <transport-guarantee>CONFIDENTIAL</transport-guarantee> 

    </user-data-constraint> 

    <auth-constraint /> 

</security-constraint>


This, among the Http Header Security Filter configuration, made our application break.



Our application provides the same HTTP Header security features in Spring Security. Also, our application is RESTful, so we widely use PUT and DELETE methods for file upload. In future releases, we are also planning to use websockets (but from a search, they don't use CONNECT, which is for proxying).



Our customer said that they will have to raise a policy exception in production in order remove the offending lines from Tomcat configuration and make the application work.



As part of the security exception policy, our customer's staff is obligated to engage the vendor in "fixing the security issue" within 6 months.



This means that they will return to me asking to make the application work with enabled HTTP method filtering and HTTP Header Security filter.



I don't want to do them a favour and change all Ajax calls from RESTful patterns to GET/POST only, not even for money.



Question is, as in the TLDR, could using PUT and DELETE methods alone, regardless of the security features of the application, pose a security risk?



Edit



I work in a software factory that deploys the same product instance to a large number of customers and our cloud. We are fully using all the tools we have on board, including the REST pattern. We are planning to employ HATEOAS, WebSockets, resumable file downloads, and everything the web technology can offer us to deliver better experience. Yes, sounds like a marketing line. Anyway, security is still a concern in our products.






web-application http rest







share|improve this question




















  • 1




    I had some similar circumstances happen with clients. The result until now has been, either they give up and accept the changes required to make the application work, or they pay $$$ for supporting a special branch for them. If they pay enough to outset the cost and make a profit of that situation I don't see why you shouldn't do that.
    – Bakuriu
    6 hours ago






  • 1




    Me saying this doesn't help with your problem, but your customer is stupid.
    – immibis
    3 hours ago















up vote
7
down vote

favorite
1












TL;DR:



Is there a valid reason to demand a software vendor to stop using HTTP PUT and DELETE methods in a web application and use only GET and POST? The application is security hardened, pen-tested and powered by popular security frameworks.



In other words, if I allow deletion of a record via DELETE or POST by an authorized user (checking he has access to that record, auditing, etc), what is the difference from the security standpoint?



Full question



Our customer configured their Tomcat instance with the following, according to their corporate standard:



<security-constraint> 

    <web-resource-collection> 

        <web-resource-name>restricted methods</web-resource-name> 

        <url-pattern>/*</url-pattern> 

        <http-method>CONNECT</http-method> 

        <http-method>PUT</http-method> 

        <http-method>DELETE</http-method> 

        <http-method>OPTIONS</http-method> 

        <http-method>TRACE</http-method> 

    </web-resource-collection> 

    <user-data-constraint> 

        <transport-guarantee>CONFIDENTIAL</transport-guarantee> 

    </user-data-constraint> 

    <auth-constraint /> 

</security-constraint>


This, among the Http Header Security Filter configuration, made our application break.



Our application provides the same HTTP Header security features in Spring Security. Also, our application is RESTful, so we widely use PUT and DELETE methods for file upload. In future releases, we are also planning to use websockets (but from a search, they don't use CONNECT, which is for proxying).



Our customer said that they will have to raise a policy exception in production in order remove the offending lines from Tomcat configuration and make the application work.



As part of the security exception policy, our customer's staff is obligated to engage the vendor in "fixing the security issue" within 6 months.



This means that they will return to me asking to make the application work with enabled HTTP method filtering and HTTP Header Security filter.



I don't want to do them a favour and change all Ajax calls from RESTful patterns to GET/POST only, not even for money.



Question is, as in the TLDR, could using PUT and DELETE methods alone, regardless of the security features of the application, pose a security risk?



Edit



I work in a software factory that deploys the same product instance to a large number of customers and our cloud. We are fully using all the tools we have on board, including the REST pattern. We are planning to employ HATEOAS, WebSockets, resumable file downloads, and everything the web technology can offer us to deliver better experience. Yes, sounds like a marketing line. Anyway, security is still a concern in our products.






web-application http rest







share|improve this question




















  • 1




    I had some similar circumstances happen with clients. The result until now has been, either they give up and accept the changes required to make the application work, or they pay $$$ for supporting a special branch for them. If they pay enough to outset the cost and make a profit of that situation I don't see why you shouldn't do that.
    – Bakuriu
    6 hours ago






  • 1




    Me saying this doesn't help with your problem, but your customer is stupid.
    – immibis
    3 hours ago













up vote
7
down vote

favorite
1









up vote
7
down vote

favorite
1






1





TL;DR:



Is there a valid reason to demand a software vendor to stop using HTTP PUT and DELETE methods in a web application and use only GET and POST? The application is security hardened, pen-tested and powered by popular security frameworks.



In other words, if I allow deletion of a record via DELETE or POST by an authorized user (checking he has access to that record, auditing, etc), what is the difference from the security standpoint?



Full question



Our customer configured their Tomcat instance with the following, according to their corporate standard:



<security-constraint> 

    <web-resource-collection> 

        <web-resource-name>restricted methods</web-resource-name> 

        <url-pattern>/*</url-pattern> 

        <http-method>CONNECT</http-method> 

        <http-method>PUT</http-method> 

        <http-method>DELETE</http-method> 

        <http-method>OPTIONS</http-method> 

        <http-method>TRACE</http-method> 

    </web-resource-collection> 

    <user-data-constraint> 

        <transport-guarantee>CONFIDENTIAL</transport-guarantee> 

    </user-data-constraint> 

    <auth-constraint /> 

</security-constraint>


This, among the Http Header Security Filter configuration, made our application break.



Our application provides the same HTTP Header security features in Spring Security. Also, our application is RESTful, so we widely use PUT and DELETE methods for file upload. In future releases, we are also planning to use websockets (but from a search, they don't use CONNECT, which is for proxying).



Our customer said that they will have to raise a policy exception in production in order remove the offending lines from Tomcat configuration and make the application work.



As part of the security exception policy, our customer's staff is obligated to engage the vendor in "fixing the security issue" within 6 months.



This means that they will return to me asking to make the application work with enabled HTTP method filtering and HTTP Header Security filter.



I don't want to do them a favour and change all Ajax calls from RESTful patterns to GET/POST only, not even for money.



Question is, as in the TLDR, could using PUT and DELETE methods alone, regardless of the security features of the application, pose a security risk?



Edit



I work in a software factory that deploys the same product instance to a large number of customers and our cloud. We are fully using all the tools we have on board, including the REST pattern. We are planning to employ HATEOAS, WebSockets, resumable file downloads, and everything the web technology can offer us to deliver better experience. Yes, sounds like a marketing line. Anyway, security is still a concern in our products.






web-application http rest







share|improve this question















TL;DR:



Is there a valid reason to demand a software vendor to stop using HTTP PUT and DELETE methods in a web application and use only GET and POST? The application is security hardened, pen-tested and powered by popular security frameworks.



In other words, if I allow deletion of a record via DELETE or POST by an authorized user (checking he has access to that record, auditing, etc), what is the difference from the security standpoint?



Full question



Our customer configured their Tomcat instance with the following, according to their corporate standard:



<security-constraint> 

    <web-resource-collection> 

        <web-resource-name>restricted methods</web-resource-name> 

        <url-pattern>/*</url-pattern> 

        <http-method>CONNECT</http-method> 

        <http-method>PUT</http-method> 

        <http-method>DELETE</http-method> 

        <http-method>OPTIONS</http-method> 

        <http-method>TRACE</http-method> 

    </web-resource-collection> 

    <user-data-constraint> 

        <transport-guarantee>CONFIDENTIAL</transport-guarantee> 

    </user-data-constraint> 

    <auth-constraint /> 

</security-constraint>


This, among the Http Header Security Filter configuration, made our application break.



Our application provides the same HTTP Header security features in Spring Security. Also, our application is RESTful, so we widely use PUT and DELETE methods for file upload. In future releases, we are also planning to use websockets (but from a search, they don't use CONNECT, which is for proxying).



Our customer said that they will have to raise a policy exception in production in order remove the offending lines from Tomcat configuration and make the application work.



As part of the security exception policy, our customer's staff is obligated to engage the vendor in "fixing the security issue" within 6 months.



This means that they will return to me asking to make the application work with enabled HTTP method filtering and HTTP Header Security filter.



I don't want to do them a favour and change all Ajax calls from RESTful patterns to GET/POST only, not even for money.



Question is, as in the TLDR, could using PUT and DELETE methods alone, regardless of the security features of the application, pose a security risk?



Edit



I work in a software factory that deploys the same product instance to a large number of customers and our cloud. We are fully using all the tools we have on board, including the REST pattern. We are planning to employ HATEOAS, WebSockets, resumable file downloads, and everything the web technology can offer us to deliver better experience. Yes, sounds like a marketing line. Anyway, security is still a concern in our products.






web-application http rest




web-application http rest






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 2 hours ago









SeldomNeedy

1114




1114










asked 9 hours ago









usr-local-ΕΨΗΕΛΩΝ

1,006412




1,006412








  • 1




    I had some similar circumstances happen with clients. The result until now has been, either they give up and accept the changes required to make the application work, or they pay $$$ for supporting a special branch for them. If they pay enough to outset the cost and make a profit of that situation I don't see why you shouldn't do that.
    – Bakuriu
    6 hours ago






  • 1




    Me saying this doesn't help with your problem, but your customer is stupid.
    – immibis
    3 hours ago














  • 1




    I had some similar circumstances happen with clients. The result until now has been, either they give up and accept the changes required to make the application work, or they pay $$$ for supporting a special branch for them. If they pay enough to outset the cost and make a profit of that situation I don't see why you shouldn't do that.
    – Bakuriu
    6 hours ago






  • 1




    Me saying this doesn't help with your problem, but your customer is stupid.
    – immibis
    3 hours ago








1




1




I had some similar circumstances happen with clients. The result until now has been, either they give up and accept the changes required to make the application work, or they pay $$$ for supporting a special branch for them. If they pay enough to outset the cost and make a profit of that situation I don't see why you shouldn't do that.
– Bakuriu
6 hours ago




I had some similar circumstances happen with clients. The result until now has been, either they give up and accept the changes required to make the application work, or they pay $$$ for supporting a special branch for them. If they pay enough to outset the cost and make a profit of that situation I don't see why you shouldn't do that.
– Bakuriu
6 hours ago




1




1




Me saying this doesn't help with your problem, but your customer is stupid.
– immibis
3 hours ago




Me saying this doesn't help with your problem, but your customer is stupid.
– immibis
3 hours ago










1 Answer
1






active

oldest

votes

















up vote
13
down vote













I suspect this is a case of someone zealously applying "best practices" that they don't understand.



HTTP Verb Tampering Attack



The reason this best practice exists is because of the HTTP Verb Tampering Attack. From this article:




Many Web server authentication mechanisms use verb-based authentication and access controls. For example, an administrator can configure a Web server to allow unrestricted access to a Web page using HTTP GET requests, but restrict POSTs to administrators only. However, many implementations of verb-based security mechanisms enforce the security rules in an unsecure manner, allowing access to restricted resources by using alternative HTTP methods (such as HEAD) or even arbitrary character strings.




So someone decided that because some apps are badly-written, all apps should be banned from accepting HTTP verbs other than GET or POST, because ... you know ... mumble mumble SECURITY!!




My opinion (possibly incomplete / incorrect, please post comments) :




  • Pure HTML / CSS / js content should be restricted to GET and POST because these are the only verbs allowed in the HTML spec.

  • APIs (AJAX, REST) should be allowed to use any verb from the HTTP spec, that said:


    • You should do extra security testing to make sure no authentication or access-control bypass vulnerabilities exist via verb tampering. I recommend following the OWASP testing guide.

    • Be aware that even if your application-layer correctly enforces verb-based access controls, your webserver front-end may not. For example I believe it's possible to configure webserver front-ends to process HEAD requests without consulting the application-layer, which in some cases could be considered an information disclosure vuln, for example confirming the existence of a secret URL and telling you its content-type.




It sounds like your app is fine and your customer has an overly-zealous security policy.






share|improve this answer























  • I just noticed there's a more thorough answer to this question here: security.stackexchange.com/q/21413/61443
    – Mike Ounsworth
    8 hours ago











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199776%2fwhy-should-someone-block-all-methods-other-than-get-and-post-in-a-restful-applic%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
13
down vote













I suspect this is a case of someone zealously applying "best practices" that they don't understand.



HTTP Verb Tampering Attack



The reason this best practice exists is because of the HTTP Verb Tampering Attack. From this article:




Many Web server authentication mechanisms use verb-based authentication and access controls. For example, an administrator can configure a Web server to allow unrestricted access to a Web page using HTTP GET requests, but restrict POSTs to administrators only. However, many implementations of verb-based security mechanisms enforce the security rules in an unsecure manner, allowing access to restricted resources by using alternative HTTP methods (such as HEAD) or even arbitrary character strings.




So someone decided that because some apps are badly-written, all apps should be banned from accepting HTTP verbs other than GET or POST, because ... you know ... mumble mumble SECURITY!!




My opinion (possibly incomplete / incorrect, please post comments) :




  • Pure HTML / CSS / js content should be restricted to GET and POST because these are the only verbs allowed in the HTML spec.

  • APIs (AJAX, REST) should be allowed to use any verb from the HTTP spec, that said:


    • You should do extra security testing to make sure no authentication or access-control bypass vulnerabilities exist via verb tampering. I recommend following the OWASP testing guide.

    • Be aware that even if your application-layer correctly enforces verb-based access controls, your webserver front-end may not. For example I believe it's possible to configure webserver front-ends to process HEAD requests without consulting the application-layer, which in some cases could be considered an information disclosure vuln, for example confirming the existence of a secret URL and telling you its content-type.




It sounds like your app is fine and your customer has an overly-zealous security policy.






share|improve this answer























  • I just noticed there's a more thorough answer to this question here: security.stackexchange.com/q/21413/61443
    – Mike Ounsworth
    8 hours ago















up vote
13
down vote













I suspect this is a case of someone zealously applying "best practices" that they don't understand.



HTTP Verb Tampering Attack



The reason this best practice exists is because of the HTTP Verb Tampering Attack. From this article:




Many Web server authentication mechanisms use verb-based authentication and access controls. For example, an administrator can configure a Web server to allow unrestricted access to a Web page using HTTP GET requests, but restrict POSTs to administrators only. However, many implementations of verb-based security mechanisms enforce the security rules in an unsecure manner, allowing access to restricted resources by using alternative HTTP methods (such as HEAD) or even arbitrary character strings.




So someone decided that because some apps are badly-written, all apps should be banned from accepting HTTP verbs other than GET or POST, because ... you know ... mumble mumble SECURITY!!




My opinion (possibly incomplete / incorrect, please post comments) :




  • Pure HTML / CSS / js content should be restricted to GET and POST because these are the only verbs allowed in the HTML spec.

  • APIs (AJAX, REST) should be allowed to use any verb from the HTTP spec, that said:


    • You should do extra security testing to make sure no authentication or access-control bypass vulnerabilities exist via verb tampering. I recommend following the OWASP testing guide.

    • Be aware that even if your application-layer correctly enforces verb-based access controls, your webserver front-end may not. For example I believe it's possible to configure webserver front-ends to process HEAD requests without consulting the application-layer, which in some cases could be considered an information disclosure vuln, for example confirming the existence of a secret URL and telling you its content-type.




It sounds like your app is fine and your customer has an overly-zealous security policy.






share|improve this answer























  • I just noticed there's a more thorough answer to this question here: security.stackexchange.com/q/21413/61443
    – Mike Ounsworth
    8 hours ago













up vote
13
down vote










up vote
13
down vote









I suspect this is a case of someone zealously applying "best practices" that they don't understand.



HTTP Verb Tampering Attack



The reason this best practice exists is because of the HTTP Verb Tampering Attack. From this article:




Many Web server authentication mechanisms use verb-based authentication and access controls. For example, an administrator can configure a Web server to allow unrestricted access to a Web page using HTTP GET requests, but restrict POSTs to administrators only. However, many implementations of verb-based security mechanisms enforce the security rules in an unsecure manner, allowing access to restricted resources by using alternative HTTP methods (such as HEAD) or even arbitrary character strings.




So someone decided that because some apps are badly-written, all apps should be banned from accepting HTTP verbs other than GET or POST, because ... you know ... mumble mumble SECURITY!!




My opinion (possibly incomplete / incorrect, please post comments) :




  • Pure HTML / CSS / js content should be restricted to GET and POST because these are the only verbs allowed in the HTML spec.

  • APIs (AJAX, REST) should be allowed to use any verb from the HTTP spec, that said:


    • You should do extra security testing to make sure no authentication or access-control bypass vulnerabilities exist via verb tampering. I recommend following the OWASP testing guide.

    • Be aware that even if your application-layer correctly enforces verb-based access controls, your webserver front-end may not. For example I believe it's possible to configure webserver front-ends to process HEAD requests without consulting the application-layer, which in some cases could be considered an information disclosure vuln, for example confirming the existence of a secret URL and telling you its content-type.




It sounds like your app is fine and your customer has an overly-zealous security policy.






share|improve this answer














I suspect this is a case of someone zealously applying "best practices" that they don't understand.



HTTP Verb Tampering Attack



The reason this best practice exists is because of the HTTP Verb Tampering Attack. From this article:




Many Web server authentication mechanisms use verb-based authentication and access controls. For example, an administrator can configure a Web server to allow unrestricted access to a Web page using HTTP GET requests, but restrict POSTs to administrators only. However, many implementations of verb-based security mechanisms enforce the security rules in an unsecure manner, allowing access to restricted resources by using alternative HTTP methods (such as HEAD) or even arbitrary character strings.




So someone decided that because some apps are badly-written, all apps should be banned from accepting HTTP verbs other than GET or POST, because ... you know ... mumble mumble SECURITY!!




My opinion (possibly incomplete / incorrect, please post comments) :




  • Pure HTML / CSS / js content should be restricted to GET and POST because these are the only verbs allowed in the HTML spec.

  • APIs (AJAX, REST) should be allowed to use any verb from the HTTP spec, that said:


    • You should do extra security testing to make sure no authentication or access-control bypass vulnerabilities exist via verb tampering. I recommend following the OWASP testing guide.

    • Be aware that even if your application-layer correctly enforces verb-based access controls, your webserver front-end may not. For example I believe it's possible to configure webserver front-ends to process HEAD requests without consulting the application-layer, which in some cases could be considered an information disclosure vuln, for example confirming the existence of a secret URL and telling you its content-type.




It sounds like your app is fine and your customer has an overly-zealous security policy.







share|improve this answer














share|improve this answer



share|improve this answer








edited 9 hours ago

























answered 9 hours ago









Mike Ounsworth

38.5k1493137




38.5k1493137












  • I just noticed there's a more thorough answer to this question here: security.stackexchange.com/q/21413/61443
    – Mike Ounsworth
    8 hours ago


















  • I just noticed there's a more thorough answer to this question here: security.stackexchange.com/q/21413/61443
    – Mike Ounsworth
    8 hours ago
















I just noticed there's a more thorough answer to this question here: security.stackexchange.com/q/21413/61443
– Mike Ounsworth
8 hours ago




I just noticed there's a more thorough answer to this question here: security.stackexchange.com/q/21413/61443
– Mike Ounsworth
8 hours ago


















draft saved

draft discarded




















































Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199776%2fwhy-should-someone-block-all-methods-other-than-get-and-post-in-a-restful-applic%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Le Mesnil-Réaume

Image
Le Mesnil-Réaume Region Normandie Département Seine-Maritime Arrondissement Dieppe Kanton Eu Gemeindeverband Villes Sœurs Koordinaten 49° 58′  N , 1° 27′  O 49.9725 1.4463888888889 Koordinaten: 49° 58′  N , 1° 27′  O Höhe 92–156 m Fläche 5,55 km 2 Einwohner 793 (1. Januar 2016) Bevölkerungsdichte 143 Einw./km 2 Postleitzahl 76260 INSEE-Code 76435 Website http://www.mesnil-reaume.net/ Rathaus (Mairie) und Schule von Le Mesnil-Réaume Le Mesnil-Réaume ist eine französische Gemeinde mit 793 Einwohnern (Stand: 1. Januar 2016) im Département Seine-Maritime in der Region Normandie (vor 2016 Haute-Normandie). Sie gehört zum Arrondissement Dieppe und zum Kanton Eu. Die Einwohner werden Mesnillais genannt. Inhaltsverzeichnis 1 Geographie 2 Bevölkerungsentwicklung 3 Sehenswürdigkeiten 4 Weblinks Geographie | Le Mesnil-Réaume liegt etwa 43 Kilomet
Read more

Ida-Boy-Ed-Garten

Image
Die Lage des Ida-Boy-Ed-Gartens, rot markiert Der Ida-Boy-Ed-Garten Der Ida-Boy-Ed-Garten, Blick von der Wakenitzmauer durch das Tor in der Stadtmauer Der Ida-Boy-Ed-Garten ist eine Straße der Lübecker Altstadt. Inhaltsverzeichnis 1 Lage 2 Geschichte 3 Literatur 4 Weblinks Lage | Der etwa 90 Meter lange Ida-Boy-Ed-Garten befindet sich an der nördlichen Spitze der Altstadtinsel, vor dem Burgtor. Die in einem Bogen durch eine Grünanlage hangaufwärts führende Straße verbindet die Wakenitzmauer mit der Burgtorbrücke. Geschichte | Der heutige Ida-Boy-Ed-Garten wurde ursprünglich als Verlängerung der Wakenitzmauer angelegt. 1903 wurde in den erhaltenen Teil der mittelalterlichen Stadtmauer, an dem die Wakenitzmauer bei der Einmündung der Kaiserstraße begann, ein Tor mit einem großen Bogen für die Durchführung der Straße und zwei kleineren seitlichen Öffnungen für Fußgänger gebrochen, um für die neu errichteten Wohnhäuser in diesem Bereich
Read more

web3.py web3.isConnected() returns false always

Image
1 I am trying an tutorial on web3.py so i created a profile in infura and used its project id.But it shows false always when i try web3.isConnected() PS C:UsersHP> python Python 3.6.3 (v3.6.3:2c5fed8, Oct 3 2017, 18:11:49) [MSC v.1900 64 bit (AMD64)] on win32 Type "help", "copyright", "credits" or "license" for more information. >>> from web3 import Web3 >>> infura_url = "mainnet.infura.io/v3/******************************" >>> web3 = Web3(Web3.HTTPProvider(infura_url)) >>> web3.isConnected() False web3.py share | improve this question
Read more