1

Currently my HTTP Server has the following Configuration:

curl -i http://localhost:3000

    HTTP/1.1 200 OK
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: POST, GET, PUT, DELETE, OPTIONS
    Access-Control-Allow-Credentials: true
    Access-Control-Max-Age: 86400
    Access-Control-Allow-Headers: X-Requested-With, Access-Control-Allow-Origin, X-HTTP-Method-Override, Content-Type, Authorization, Accept
    Date: Tue, 10 Dec 2013 22:31:40 GMT
    Connection: keep-alive
    Transfer-Encoding: chunked

With respects to the Access-Control entries.

Do these indicate what the server the send and receive?

Am I best to try to reduce this list as much as possible? Would this mean the server is potentially more secure as there are less ways to access it?

thx

Adam
  • 19,932
  • 36
  • 124
  • 207
  • 1
    That is a good question, and securing a node server is a little harder than many other servers, such as Apache, where there's a lot of software and documentation available on the subject. I'd would say that the sent headers doesn't really matter, and should be of the least concern considering all the other potential risks, such as XSS, CSRF, getting access to the server in some way etc. – adeneo Dec 10 '13 at 22:46
  • good point they are only sent headers... thx – Adam Dec 10 '13 at 22:52

1 Answers1

5

Access-Control-Allow-Origin: *

You could easily restrict this entry to restrict AJAX requests to your site (blocking CORS). This is easy to do and (depending on what you're trying to build) generally a good idea.

Access-Control-Allow-Methods: POST, GET, PUT, DELETE, OPTIONS

Again, depending on what you're building, this could be limited to only the HTTP methods you intend to use. A basic website likely only needs GET, a content driven site with form uploads would require POST, or a complex API or socket driven site may/will require the others.

Access-Control-Allow-Credentials: true

If you're not handling authentication (or securing anything) then this is irrelevant. If you are securing something, you may want to implement something like in place, and disallow credentials.

Access-Control-Max-Age: 86400

This is simply how long the website response can be cached. This is 24 hours, but on a highly secure site, you may want to limit this to an hour or 30 minutes.

All of this said, while there are a significant number of other security concerns when implementing Node, if you strictly don't require the extra header handling, then there's a benefit in removing them.

Community
  • 1
  • 1
brandonscript
  • 68,675
  • 32
  • 163
  • 220
  • I'm actually only offering websockets behind nginx... with Access-Control-Allow-Methods - if I remove this line does that block all methods are mean all methods are allows as the line/restriction isn't in place? – Adam Dec 10 '13 at 22:56
  • According to http://stackoverflow.com/questions/20478312/default-value-for-access-control-request-methods I suspect if you don't set it, it will default to allow-all. If you want to restrict it, specify only what you require. – brandonscript Dec 10 '13 at 23:01
  • You're welcome. Highly suggest you read up on SO about securing Node and about CORS as well -- it's a deep topic, but if you're concerned about security, it's a good knowledge to have. – brandonscript Dec 10 '13 at 23:03