I have a webservice working on a domain say www.abc.com . I want to configure my server so that none of the request coming from another domain (except from www.abc.com) will be accepted. I should not use user authentication or anything related to token based authentication. So, the only option i can think is CORS but i do not exactly know how to use it. Any help would be great.
I am using nodejs and express
Don't set a CORS header. Done.
To address your comment: Postman doesn't make Ajax requests, it makes requests. If you don't indicate in Postman that it's an Ajax request, it's just a standard client request.
See also how Postman send requests? ajax, same origin policy for some more details.
Related
I have a Node.js express server deployed to AWS EBS, the client side, written in React is deployed to S3 bucket as a static web page.
I'm working on some sort of sign up system to a specific service, and I don't want to request credentials from the user, so I guess csrf \ jwt is not going to work.
Is there anyway to block all http requests from origins other than the client? right now, there is a chance someone will just use Postman and make requests to my server, for example creating user with just an email.
I tried using private API Gateway, but I couldn't find a way to let the client make requests successfully.
I thought about encrypting the http requests payload, but I didn't find anyway to store a private key where it is not visible for anyone through the browser...
The origin is just an HTTP header that someone could set, i.e. "spoof", in their Postman requests. You can check the origin to block random scanner bots, but it isn't going to block anyone that is determined. So please don't confuse this as actual security. You could do this with AWS Web Application Firewall attached to your EB load balancer, or just adding a check in your express middleware as in the other answer.
Regarding private API Gateway, that would never work in this scenario, that is only for resources inside a VPC network, and your React app is running in people's web browsers on the public Internet.
Regarding someone creating a user account "with just an email" that is on you to handle, you should be completely validating the request on the server side, with the knowledge that the request may have come from someone using a tool like Postman since there is no way to totally prevent that in your scenario.
If you want to use API Gateway for this you could try implementing request validation there. You could also attach a Web Application Firewall to the API Gateway. I believe you could also do the origin header check as part of an API Gateway request validator.
You cannot block all the HTTP requests but surely can reject by adding a middleware
app.use((req, res, next) => {
if(req.protocol === 'http' && req.hostname!== <client domain>){
return res.sendStatus(403);
} next();
})
In my react-admin application, I'm sending two api hits for each create action and I'm not sure why.
Network Tab Data
I have the django REST framework backend running as well, could this be the issue?
Your API is probably on another domain than the HTML page, so your browser sends a CORS preflight request to the server with the HTTP OPTIONS verb before sending a GET or a PUT. This is absolutely normal and there is nothing you can do to prevent it - apart from putting your API and your webapp on the same domain.
More information about CORS: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
Hi I have a question about azure mobile apps.
Can I confirm HTTP request including header, body and url parameter in azure mobile apps when troubleshooting?
If yes, how can I confirm that?
For example, let me assume that client send a HTTP request to azure mobile apps, and a the response is bad request(status code 400).
Then I would like to figure out the cause.
First of all I set [Diagnostics log] - [Web server logging] as Storage in portal.azure.com,and confirmed the IIS log.
But there is no header, body info in the HTTP request.
So I did not find out the cause by that log.
Finally problem is solved by client logs by taking fiddler and cause is wrong info in body of the http request.
Above all, by taking fiddler log in client side, I was able to solve the problem but I would like to know if there is a way to confirm http request's header, body and url parameter in azure mobile apps side.
You can log the inbound query on the client or server side, or use something like Fiddler. For the server side, just use regular methods for Node.js or ASP.NET - nothing special is needed. For the client side, I documented the process for all platforms on my blog. Although the documentation is for adjusting the HTTP request, it's the same recipe for logging.
I am building a REST API with sails js and I want to allow only a specific white list of hosts to request it. I know that this can be configured in CORS config file for Browser to Server requests. But in my case, I need it for Server to Server requests. Thanks
CORS of course can't restrict server-server request because it's applied to browser. You must specify it in controller, maybe some kind like using special key request or any kind of authentication that only some requester with some secret key are allowed to access.
We followed this project and wired up our MVC application to use the new ADAL bit but we are seeing the following error when the token expires:
XMLHttpRequest cannot load https://login.windows.net/0bccafdb-3696-4344-3269-991d0a93be57/oauth2/autho…QzLTk5MWUtOGE5KRLTIFMYWE3MTliNjU1YMJTLENi00YWIzLTllNDQtYmVmZWU4ZWFjMjQ1. The request was redirected to 'https://login.microsoftonline.com/login.srf?wa=wsignin1.0&wtrealm=https%3a%…ZAEkNmNhNzFiYTUtZWZhOS00YjE0LWExYTYtZjQ5NjgwMzU5NzEz7Q2&wp=MBI_FED_SSL&id=', which is disallowed for cross-origin requests that require preflight.
Related: CORS preflight request responds with 302 redirect in Azure hosted Web API
That sample is not meant to be used with XMLHttpRequest. It is secured via a redirect based protocol, which in turn requires full browser postbacks for performing authentication operations. That protocol is not designed to work with Web API and AJAX calls, and although it can work for testing purposes production use will force you into hacks and other bad tactical measures.
If you want to make calls from JavaScript, please consider http://www.cloudidentity.com/blog/2015/02/19/introducing-adal-js-v1/.