Geek Answers Handbook

CORS - localhost as a legal origin in production

Sometimes, when troubleshooting production errors, it would be convenient to be able to remove our REST server for production from the local local environment. But I am worried that adding localhost to the permitted origin would pose a security risk. Searches gave conflicting information. Are my actions valid? Why or why not?

+13
security rest cors webserver
source share
3 answers

I assume you have

Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://localhost

The risk is that any services running on the user's computer can effectively circumvent the same Origin Policy for your site.

So if you have a REST URL like

 https://example.com/User/GetUserDetails

A malicious or compromised service running on a user's computer can execute this request through the user's browser and then obtain information about the user, as their authentication cookie will be transmitted along with the request.

Now you can claim that the malicious service running on the user's computer can simply get the authentication cookie directly from its browser and then execute the request itself. However, if the service has its drawbacks (say, XSS), this may allow another site to compromise the user through the REST service ( evil.example.org --XSS-> localhost -CORS-> example.com/User/GetUserDetails ).

Another scenario that could put you at risk if a user uses a local reverse proxy to access something. This will allow the target site to compromise the user through yours if this target site is malicious or compromised. This is because the user will access the target site with the localhost domain.

If you really need to do this, I suggest you have a special developer account for your REST service, which, when accessed, adds the Access-Control-Allow-Origin: https://localhost header to your requests. Thus, you do not expose other users to risk because you know that you only run the front-end server at https://localhost so you cannot be compromised by setting up open CORS.

Another way could be to use something like noonewouldusethis2859282.localhost for a local copy of the noonewouldusethis2859282.localhost interface. Then you can safely add the header Access-Control-Allow-Origin: https://noonewouldusethis2859282.localhost because no one else will use this and will be protected from CORS attacks.

+15
source share

No security issues when adding localhost to your CORS installation during production.

By adding something like:

 Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: http://localhost:3000

Now the browser is allowed to make calls from localhost: 3000 to your service, bypassing the same origin policy . Any web developer can now create a web page launched from their local machine to call your API, which is useful for your team. However, localhost is not a public routable address β€” you cannot use the http: // localhost: 3000 link. Remember that CORS is only a security measure for web browsers making calls to your site. Any user can still call your endpoint through server calls to the server (or script). However, you should avoid :

 Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: *

This will make your website accessible to every website. Instead, block your Access-Control-Allow-Origin on sites that need it. Unfortunately, Access-Control-Allow-Origin takes only one value, so you need to process the server HOST request and return the valid ones ( more ).

CORS Endpoint Authentication

When you make a CORS request that requires authentication, you should add the Authorization header to the call, and not pass cookies - fetch does this by default . That way, any calls made to the COR endpoint will be made using javascript, adding the token to the header that it has only for this session. If you store the token through a cookie or localstorage, note that its access to it is from this domain ( more information ). The endpoint of your product and localhost will not have the same cookies and shared local resource.

Disabling CORS in Chrome

Finally, you can make a CORS request from Chrome to any website by launching Chrome using --disable-web-security ( more ).

Finally, Google Chrome only allows working services to run on secure websites and http : // localhost . If you decide to create local.example.com for development, you will need to create an SSL certificate and complete the entire configuration on the local computer to complete this work. I recommend using http: // localhost: XXXX .

+3
source share

You can also use a browser plugin called Allow-Control-Allow-Origin: * it is available in Chrome Webestore, which will allow CORS to be requested.

https://chrome.google.com/webstore/detail/allow-control-allow-origi/nlfbmbojpeacfghkpbjhddihlkkiljbi?hl=en

0
source share

More articles:


All Articles