I have a backend server and I configured CORS filter to allow my frontend server to access backend public api. Now I want start developing mobile app, which also will communicate with backend server, but I can't simply put all origins in my cors filter. Should I set Access-Control-Allow-Origin to * ? If so, will it be secure enough ? I don't keep user sessions, but with every request users send jwt token.
If you are developing your own mobile app, then you will not need to have to change any CORS setting in your backend. Setting Access-Control-Allow-Origin to wildcard i.e * will make it very unsafe as all sites will be able access public APIs from your site. Access-Control-Allow-Origin is used by different browsers such as Chrome, Firefox, Opera etc to verify if the frontend accessing the API from the backend is allowed to access the content. This is check only takes place if your APIs and your frontend are on two different domains or subdomains. Eg foo.com frontend is trying to access content from bar.com then your backend Access-Control-Allow-Origin needs to be set to foo.com.
Related
i am new to AWS, i deployed a MERN application in it as follows:
front end on S3 bucket with web hosting enabled;
backend (node, express and graphql) on an ELB;
these two apps are put behind a cloudfront distribution as origins.
the app works fine but a cookie that i am setting is not received by the browser:
the other thing that is bothering me is that the access-control-allow-origin header is set to * although i have the cors policy set in my app to my particular domain.
the cookies are set in development but once i push the code to the server it does not work.
any help is much appreciated.
I made it work but i am not sure what i exactly did. the thing here is that cloud front doesn't not forward the set-cookie if you don't tell it to do so.
I just needed to update the Cache key and origin requests options that you find when you try to update a behavior like this :
I’ve added * to the Web Origins for my NodeJS Connect client as well as my NodeJS API client. I’ve also added enable-cors: true to my keycloak.json. Even with both of these, I still can’t redirect to Keycloak from my NodeJS API. Note that I'm not using the JS client. The keycloak.protect() function is trying to tell the browser to redirect to Keycloak but it won't because of the missing CORS header. Is there anything else I need to do to enable CORS?
By using Node and Express, can I allow only HTTP REST calling from a specific mobile app?
For security reason, I want to achieve these:
1. Allow only specific IP range. Since both of the app is hosted using Azure website.
2. Allow only connection from specific mobile app.
Use CORS or JSONP
In CORS
For example, to allow http://mozilla.com to access the resource, you can specify:
Access-Control-Allow-Origin: http://mozilla.com
You can check HTTP Headers to get the client ips, see here
Check the ip with your IP list and only return if it is success.
I am building a REST API with sails js and I want to allow only a specific white list of hosts to request it. I know that this can be configured in CORS config file for Browser to Server requests. But in my case, I need it for Server to Server requests. Thanks
CORS of course can't restrict server-server request because it's applied to browser. You must specify it in controller, maybe some kind like using special key request or any kind of authentication that only some requester with some secret key are allowed to access.
I am currently developing an API that will be launched into production in a matter of weeks. I am relatively new to REST, started reading about CORS - and realized that it could impact me.
What conditions will a REST service not be accessible to a client? I have been using sample html/js on the same server, and through Postman - a google chrome addon - to access my API. I have had no issues so far.
When the API goes live, it will be hosted at 'api.myserver.com'. Requests, at the beginning, will come from 'app.myOTHERserver.com'. Will these requests be denied if I do not use a CORS-friendly approach like JSONP or special 'access-control' headers that permit my domain?
What about accessing rest APIs from other non-browser clients? Such as a C# application? Are these requests permitted by default?
Assuming I do need to add 'access-control' headers server-side, to permit the scenario described above when my API goes live, is it better (performance-wise) to let your web server (NGINX in my case) handle the headers, or should I add them through PHP or NodeJS?
This is more about the same-origin policy applied by web browsers than it is about RESTful APIs in general.
If your API is intended to be used by web applications deployed on a different origin host/port than the API, then you have these options:
Respond with appropriate headers that allow for techniques like CORS to work.
Have the web server which serves up your web content (in your example, app.myOTHERserver.com) handle your REST API requests too by proxifying your API requests from the web server through to the API server. For example, you could have your API exposed on your web server under the URL /api, and then it's just a matter of setting up a web proxy configuration that forwards requests under that URL to your API server.
Use JSONP or other techniques.
If your API is going to be used by non-web applications, you have nothing to worry about. This is only a restriction applied by browsers when running JavaScript code to make sure that the user hasn't inadvertently clicked on a phishing link with some hackery in it that tries to send their PayPal password to Pyongyang.
When the API goes live, it will be hosted at 'api.myserver.com'.
Requests, at the beginning, will come from 'app.myOTHERserver.com'.
Will these requests be denied if I do not use a CORS-friendly approach
like JSONP or special 'access-control' headers that permit my domain?
You can specify what clients can access your web service to an extend. Assuming you're using Express: How to allow CORS?