I'm trying to allow calls made to "/api/whateverEndpoint", while keeping CORS strict for all other calls.
I've come across this link Whitelisted CORS using Apache which gives the solution for origin filtering:
# e.g. origin = https://host-b.local
SetEnvIfNoCase Origin "https://host-b.local" AccessControlAllowOrigin=$0
Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
But i need to adapt this to filter based on the request uri.
Any idea is greatly appreciated
So you just need to set a variable based on a match against Request_URI, then use that; like this:
SetEnvIf Request_URI "^/api/whateverEndpoint" IsAllowedEndpoint
Header set Access-Control-Allow-Origin "*" env=IsAllowedEndpoint
Related
I deploy my web app with Netifly.
It has preview environment that looks this way:
"randomonstring33712638126--domaincom.netlify.app"
And I have a python function at Google Cloud, that I want to secure with allow-origin. How can I allow origin for all domains that ends with --domaincom.netlify.app?
I tried this, but seems like it's not working:
ALLOW_ORIGIN = 'https://domain[dot]com/, https://*--domaincom.netlify.app/'
Thank you for any help.
I'm afraid allowing subdomains isn't something you can do with Access-Control-Allow-Origin.
Have a look at the docs: the Allow-Origin can accept
the wildcard, * (any origin)
a specified origin, e.g. https://example.app
or null
For limiting multiple domains it says
Limiting the possible Access-Control-Allow-Origin values to a set of
allowed origins requires code on the server side to check the value of
the Origin request header, compare that to a list of allowed origins,
and then if the Origin value is in the list, set the
Access-Control-Allow-Origin value to the same value as the Origin
value.
I am sorting out a website that will be getting pen-tested soon, we've have been asked to add the X-Frame-Options header to our server configuration. When adding the following header it gives me an error message in the console.log where we are using iframes
-- nginx header --
add_header 'X-Frame-Options' "SAMEORIGIN";
-- Error --
`Refused to display 'https://api.domain.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
Obviously I understand the security reasons for this header but our website has an iframe that we simply cannot change & it is on a different domain e.g oldapp.domain.com rather than api.domain.com.
I would have used the ALLOW-FROM uri directive to allow from this other domain, but this directive is no longer recommended, is there an alternative to ALLOW-FROM uri that will enable me to simply add a domain that can be allowed to display iframe content?
For all browsers except some older ones (like IE) you should use Content-Security-Policy with the frame-ancestors directive instead. With CSP frame-ancestors you can use wildcards *.domain.com or multiple sources "oldapp.domain.com api.domain.com www.domain.com".
X-Frame-Options ALLOW-FROM only accepts one uri, you will likely have to dynamically set the uri from a list of allowed hostnames based on the incoming request. Alternatively you can set the value to SAMEORIGIN if you don't need to fully support IE and other outdated browsers as X-Frame-Options will be disregarded if CSP frame-ancestors is present.
I'm trying to set Access-Control-Allow-Origin header to all but cannot use wildcard since it's not allowed with allow credentials.
So my solution is to set origin header to whatever the domain is, something like:
Header set Access-Control-Allow-Origin "%{HTTP_REFERER}e"
but that includes URI as well.
I can I strip uri form HTTP_REFERER so i get https://www.example.com ?
Many thanks
Try this:
SetEnvIf Origin ".+" ACAO=$0
Header set Access-Control-Allow-Origin "%{ACAO}e"
Suppose I have a web application at origin.com. When I browse origin.com it request cross-site data from datafeed.origin.com. I have following written in .htaccess of datafeed.origin.com Header set Access-Control-Allow-Origin origin.com. Everything works perfectly till this point.
What I need is protect datafeed.origin.com. How can I prevent this domain from browsing directly from browser or any other application. Only allow access when cross referencing from origin.com.
You can specify the origin when setting the Access-Control-Allow-Origin header:
Access-Control-Allow-Origin: <origin>[, <origin>]*
Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
Looking at your post it looks like you've done this, so cross origin requests should fail from other domains
I'm working on application scan using OWASP and got this report. what i think is that, to configure WAS to include the header in all response headers it there's a way. thanks in advance for all your answers.
Vulnerability:
The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.
Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
Suggested Solution:
Set the "X-Content-Type-Options: nosniff" header for resources (javascript, css, etc.) that are directly served by the web server. This can be done through server configuration so this might involve documentation updates.
Affected URLs / resources:
https://css-acme-tst.usmt0520.lpc.lawson.com/sso/domain.js
https://css-acme-tst.usmt0520.lpc.lawson.com/sso/login.css
What i did so far.
what i did is this. i place the tags right after commented out property modules/mod_headers.so and restart my appserver but still the same response header.
LoadModule headers_module modules/mod_headers.so
<Directory mod_headers.c>
Header always set X-Content-Type-Options nosniff
</Directory>
Try putting it into IfModule instead or into VirtualHost.
I have tried this one and it works fine:
LoadModule headers_module modules/mod_headers.so
<IfModule mod_headers.c>
Header always set X-Content-Type-Options nosniff
</IfModule>