The purpose of this question is to confirm (or not) my understanding of the purpose of W3C Access Control. If I'm reading this correctly, it allows a resource to control who can access it from a page loaded from some other resource. It does not protect a page against malware injection making cross-script requests. In other words, any bad hat can create a (e.g.) restful service that cheerfully accepts stolen information, so long as it returns the headers from this spec to tell that browser that it is happy to do so. Have I missed anything?
Your understanding sounds correct. The CORS spec only details how code from one domain can access data from another domain, thereby getting around same-domain restrictions. The same security considerations as any other web request are still in effect with CORS, and you should trust the remote server you are loading data from. If you are implementing CORS on the server side, you should not rely on CORS as your sole security mechanism. If giving access to some protected resource, you should layer an auth mechanism such as OAuth2 on top of your CORS requests.
Related
My web app is not publicly available and will be used by certain verified users within a firewall.
Do I need to worry about CSRF?
Reading about the CSRF attacks and the below:
From Spring documentation:-
18.3 When to use CSRF protection
When should you use CSRF protection? Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.
I believe apps hosted publicly are more susceptible.
Thank you in advance!
Naturally I do not know the exact circumstances or environment you are dealing with; so I can't say beyond a reasonable doubt here.
Your risk factor is definitely low, being that the web app it is not publicly accessible, behind firewalls, verified users. But it depends on what your app is doing.
I've found that XSRF or CSRF protection is only needed for domains that use cookies. Every request to your site carries your cookies even if the request comes from a web page not controlled by you. It is most important when you are modifying state on the server but there are cases where it can be useful even in cases where state is not changed.
This guide here contains a short tutorial on XSRF and how to avoid it, and allows you to actually try it out.
CSRF is one of the attacks that is actually used to bypass firewalls. So it sounds like you do need protection if authentication in your app relies on something sent automatically by the browser (eg. session cookies). If authentication tokens are not sent automatically (you have explicit Javascript to attach them to requests, like request headers), then you are inherently protected from CSRF.
In case of CSRF, the unsuspecting victim user, while being logged in to your (internal) application visits a malicious external site. That site then creates a request (eg. POSTs) the user to your apps internal url, with appropriate parameters to do something your user didn't want. As cookies are sent automatically to the destination domain, the request will be valid and processed by your app (even in case of javascript, mostly).
Notice that the user doing the internal request is your victim user with access to the internal resource. So the firewall is bypassed, the victim's browser was tricked into making the request.
Also note that this required knowledge of your app (most probably a targeted attack specifically against your app). That reduces the risk somewhat, but it is still very much a risk from a security perspective. You don't want to rely on security by obscurity, ie. you should assume that attackers know everything about your application except cryptographic secrets, but including endpoints, parameters necessary and so on. That will not always be the case, but you should design for this to make it secure.
I've developed simple REST API using a expressJs. I'm using React as my client side application. So the problem is anyone can see my API endpoints because of react app is in client side. So they will also able to make request and fetch data from my REST API. (May be they will build their own client side apps using my API.) I've seen some question about this and couldn't find any comprehensive answer. How these kind of a security problem should be handled? Is it possible to give the access for API to only my client app? If not how huge brands that using REST API prevent that? (Also I don't have a user authenticating scenario in my product as well. People can just visit and use the website. They don't need to register).
Authentication can be a way but it can be bypassed. Another way is you can create a proxy server which strictly blocks cross origin requests, hence it blocks requests from other domains to make request to your API, and you can make your API call from that proxy server. In this way your API server endpoint will also be not compromised.
If, as you state in your comment, this is about users on your own website being allowed to use your site's API, while disallowing off-site use (e.g. other websites, wget/curl, etc) then you need to make sure to set up proper CORS rules (to disallowed cross-origin use of your API) as well as CSP rules (to prevent user-injected scripts from proxying your API), and you also make sure to only allow API calls from connections that have an active session (so even if you don't want user authentication: use a session managemer so you can tell if someone landed on your site and got a session cookie set before they started calling API endpoints).
Session management and CORS come with express itself (see https://expressjs.com/en/resources/middleware/session.html and https://expressjs.com/en/resources/middleware/cors.html), for CSP, and lots of other security layers like HSTS, XSS filtering, etc, you typically use helmet.
I'm not an advanced security developer (what else is new)
Context : I have a monolith using authn/authz mecanism based on a custom JWT stored inside the angular app and refresh frequently. A bit housemade. I'm breaking my monolith one module at a time. And now is about how to handle the security.
I have :
multiple angular apps
multiple Swing apps
multiple back (a big monolith and multiple classic webapplications)
I would like to switch to openid connect. I can :
put a reverse proxy (nginx, kong, ...) with an oidc plugin creating a virtual protected domain for the backends.
From the SPA viewpoint :
Use of code authorization flow with PKCE
When the SPA sends an http request to the RP , the RP check the JWT, validate it, send a 401 if invalidate/missing header.
the SPA redirects the user to the Idp / login page.
Now I'm a bit lost and need to check the Internet :) : I don't know what is the redirect url (the RP or the SPA ? I was assuming only the RP proxy is registered in the Idp)
When the RP forward the original request , the header x-userinfo is set and the backends only read this one.
For back to back communication, we propagaded the x-userinfo header received.
no reverse proxy and each backend checks Authorization Bearer header and redirect to an Authorization server when invalidate or missing. Each back manages the security concerns (validation, redirection, registration).
As you can see I have a lot of misunderstandings. My questions are :
is reverse proxy a good idea ?
is it easier to put a RP with legacy systems (only one header to check ?)
we're putting authz logic inside a RP .... hmmm...
I don't have all the steps inside my head (how the redirections are handled)
when a Swing app (already logged in) wants to redirect the user to a new feature --> open a browser window to an angular app, is there a way to handle the security or do I need to let the angular app handle this (and perhaps force the user to relog into the Idp to obtain a JWT into its cookie/localStorage ?).
Thank you
1a. The redirect URI is the SPA's web origin and should be what you see in the browser. Redirects always occur in the browser (the front channel).
2a. For newer components aim for a zero trust architecture. In OAuth this just means pass a JWT access token to each API. Aim to avoid passing sensitive data used for authorization in headers.
1b. Reverse proxy is an excellent practice for your APIs - as discussed in this IAM Primer. It may be less useful for static web content though, since you may want to deploy that via a content delivery network.
2b. Each app should get its own tokens and redirect the user once - usually a single sign on. In 2021 it is recommended to use secure cookies in SPAs and these cab contain tokens.
Some generic authorization logic can be done in the RP - that is pretty coomon. The real domain specific authorization should be done in APIs though, using scopes and claims.
SUMMARY
Aim to follow best practices for newer components. The Curity links above explain these in a way that cab work for any provider. Hopefully it gives you some useful pointers.
I'm new to Web API, HTTP and security in general, but I just want to know if this is possible: for a controller to relax security requirements when the HTTP request originated from within the local area network.
My particular application has very low security requirements for clients inside the firewall. For instance, I want internal client apps to be able to make requests of controller actions marked with [AllowAnonymous] so that they don't need to deal with OAuth, etc (which just seems like complete overkill for my internal use scenario).
However, if the same controller actions are available to the public Internet, of course strict security requirements should apply.
Can security be handled differently based on origin? Or is the standard practice to expose both a public-facing and an Internal API?
When you use the [AllowAnonymous] attribute on your controller or action, you tell ASP.NET that it should not check the user's identity at all. That is not what you want for users coming from the internet.
You could remove the [Authorize] attribute from your controller and manually check inside the action if the user is authenticated using:
if (User.Identity.IsAuthenticated || IsLocalUser())
{
// action implementation
}
You can implement this check in a custom authorization attribute.
This still leaves you with the task to determine whether the user is local or coming from the internet. You could check the client IP-address to determine this of course.
Another option would be to enable both Windows authentication and bearer scheme authentication if your local users are part of an Active Directory domain.
Users from your intranet could use Windows authentication to talk to the service, while internet users need to bring a JWT token. This would only work if the client application for users coming from the internet is different than for local users.
DISCLAIMER: I've never tried this last option.
Identifying a request as one from "inside the firewall" isn't always as simple as just investigating the IP address. Although, this may work for you now, it may make it difficult to move environments or modify the environment without affecting application logic.
I would recommend developing a simple middle layer application that simply has the job of calling your main application with enough authorization data to handle security in the same context as your regular app, but this middle layer would in itself not be authorized. You will then just have to make sure that this app is not accessible to users outside of the firewall.
I'm building a browser based application in Javascript. I've tried to access the docusign api via jQuery:
$.support.cors = true;
$.ajax({crossDomain:true, url:"https://demo.docusign.net/restapi/v2"})
I get the error:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://demo.docusign.net/restapi/v2?_=1407189114238. This can be fixed by moving the resource to the same domain or enabling CORS.
Accessing other APIs such as yahoo, totally works:
$.ajax({crossDomain:true, url:"https://query.yahooapis.com/v1/public/yql"})
Is there a special thing that I need to do for docusign api? Thanks. (Note: My examples here use blank queries to illustrate whether an api is accessible at all. The actual code uses real queries. This problem is not caused by not having a real query. You can see this yourself by pasting the above url into your browser and see that it returns some xml.)
DocuSign does not support CORS (Cross-Origin Resource Sharing) in its platform. There are too many potential security risks with CORS and for DocuSign to maintain its extremely high level of security and certification compliance it can not support CORS.