Clarifying CORS – Cross-origin Resource Sharing

Contents

Intro

Access-Control Headers

Rate Limiting

Summary

Intro

Continuing on from my previous blog about website security week, we’re going to talk about a CORS on the web.

CORS is Cross-origin Resource Sharing thi…


This content originally appeared on DEV Community and was authored by Jordan Finneran

Contents

  1. Intro
  2. Access-Control Headers
  3. Rate Limiting
  4. Summary

Intro

Continuing on from my previous blog about website security week, we're going to talk about a CORS on the web.

CORS is Cross-origin Resource Sharing this is often used when your website is hosted separately from your API. e.g. your website is at website.com and calls your API at api.com.
This is a common architectural pattern as it allows each API and website to move independently and faster, however it can introduce some security issues.

Access-Control Headers

To allow CORS requests your API will need to response with certain headers, which allow certain behaviors from your website/frontend.

Access-Control-Allow-Origin

This header can be set with either the origin which will be calling the API, it can only be a single origin.
Otherwise it can be a * however this doesn't allow credentials to be passed, which we will talk about later.

If at all possible prefer setting a specific origin to a *.

Example Usage:

Access-Control-Allow-Origin: https://mozilla.org




Access-Control-Allow-Methods

This header can be set with a list of HTTP Methods that are allowed to be used to contact your API.

Generally speaking OPTIONS will want to be part of this list as any frontend will make a OPTIONS request, often referred to as a preflight request, before it makes the actual request. OPTIONS requests won't be made for GET requests.

It can also be * however, you should be specific if you can.

Example Usage:

Access-Control-Allow-Methods: POST, GET, OPTIONS




Access-Control-Max-Age

This header can be set to a time period that the frontend will cache the preflight OPTIONS request. It is a value in seconds for example 86400 seconds is 24 hours.

Let's say you've set Max-Age to the above, this means that the first request you make from the frontend to the API will make an OPTIONS request and then the actual request. It will subsequently won't have to make another OPTIONS request to that API for 24 hours.

Example Usage:

Access-Control-Max-Age: 86400




Access-Control-Allow-Headers

This header can be set with a list of Headers that are allowed to be passed onto your API.

Example Usage:

Access-Control-Allow-Headers: X-PINGOTHER, Content-Type




Access-Control-Allow-Credentials

This header specifies if to include credentials in the request. Credentials count as cookies, authorization headers or TLS client certificates.

Example Usage:

Access-Control-Allow-Credentials: true




Rate Limiting

You should note that Access-Control-Allow-Origin header only prevents browsers from making requests to the API. It does not prevent calls to your API from other machines, command line, Postman etc.
You should ensure that you have put other security measures in place to prevent misuse of your API, including Authentication and Rate Limiting.

Rate Limiting involves restricting too many calls being made to your API. It can be done in a number of ways depending on how your API is developed. I would look for libraries to help manage this for you.

Summary

In summary, separating your API and website can produce real development benefits however it can introduce security problems and having to deal with CORS.
Hopefully this helps clarify CORS and how you can secure it.

Set those headers now!

Happy Building!


This content originally appeared on DEV Community and was authored by Jordan Finneran


Print Share Comment Cite Upload Translate Updates
APA

Jordan Finneran | Sciencx (2021-06-01T17:56:55+00:00) Clarifying CORS – Cross-origin Resource Sharing. Retrieved from https://www.scien.cx/2021/06/01/clarifying-cors-cross-origin-resource-sharing/

MLA
" » Clarifying CORS – Cross-origin Resource Sharing." Jordan Finneran | Sciencx - Tuesday June 1, 2021, https://www.scien.cx/2021/06/01/clarifying-cors-cross-origin-resource-sharing/
HARVARD
Jordan Finneran | Sciencx Tuesday June 1, 2021 » Clarifying CORS – Cross-origin Resource Sharing., viewed ,<https://www.scien.cx/2021/06/01/clarifying-cors-cross-origin-resource-sharing/>
VANCOUVER
Jordan Finneran | Sciencx - » Clarifying CORS – Cross-origin Resource Sharing. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2021/06/01/clarifying-cors-cross-origin-resource-sharing/
CHICAGO
" » Clarifying CORS – Cross-origin Resource Sharing." Jordan Finneran | Sciencx - Accessed . https://www.scien.cx/2021/06/01/clarifying-cors-cross-origin-resource-sharing/
IEEE
" » Clarifying CORS – Cross-origin Resource Sharing." Jordan Finneran | Sciencx [Online]. Available: https://www.scien.cx/2021/06/01/clarifying-cors-cross-origin-resource-sharing/. [Accessed: ]
rf:citation
» Clarifying CORS – Cross-origin Resource Sharing | Jordan Finneran | Sciencx | https://www.scien.cx/2021/06/01/clarifying-cors-cross-origin-resource-sharing/ |

Please log in to upload a file.




There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.