What is the correct CORS entry for limiting an http:// connection to a remote, hosted web server from a grunt web server on a home network?

Question

I've setup a remote, hosted javascript server (DreamFactory Server http://www.dreamfactory.com/) that responds via REST API's.

Locally, I'm running an Angularjs application through the grunt web server via $grunt serve https://www.npmjs.com/package/grunt-serve

I have setup CORS on the remote server to allow '*' for multiple http:// connection types. THIS WORKS CORRECTLY.

My question is how I can limit the CORS configuration to only allow a connection from my home, grunt web server?

I've tried to create an entry for "localhost", "127.0.0.1", also my home Internet IP that is reported from whatismyip.com, the dns entry that my provider lists for my home IP when I ping it, a dyndns entry that I create for my home internet IP... None of them work, except for '*' (which allows any site to connect).

I think it is an educational issue for me to understand what that CORS entry should look like to allow ONLY a connection from my home web server.

Is this possible? If so, what and where should I be checking in order to find the correct entry to clear in the CORS configuration?

-Brian

good place to start is reading docs https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS You could put some sort of `Auth` header in your requests and only provide cors headers if that auth header exists — charlietfl, Jul 27 '15 at 02:35
Thanks for the link. I don't really need to add in any Auth headers, the DreamFactory environment can do that natively (and I am using them). I think that it may have to do with the origin value that is transmitted with the request. From the link above: "Note that now, no domain other than http://foo.example (identified by the ORIGIN: header in the request) can access the resource in a cross-site manner. The Access-Control-Allow-Origin header should contain the value that was sent in the request's Origin header." — Brian Fisher, Jul 28 '15 at 03:36

jfriend00 · Accepted Answer · 2015-07-27T03:16:35.460

To work and actually apply restrictions, the client requesting the connection must support and enforce CORS. In an odd sort of way (from a security point of view), restricting access using CORS requires a self-policing client (one that follows the prescribed access rules). This works for modern browsers as they all follow the rules so it generally works for applications that are served through a browser.

But, CORS access restrictions do not prevent other types of clients (such as any random script in any language) from accessing your API.

In other words, CORS is really about access rules from web pages that are enforced by the local browser. It doesn't sound like your grunt/angular code would necessarily be something that implements and enforces CORS.

If you really want to prevent other systems from accessing your DreamFactory Server, then you will need to implement some server-side access restrictions in the API server itself.

If you just have one client accessing it and that client is using "protected" code that is not public, then you could just implement a password or some sort of logon credentials and your one client would be the only client that would have the logon credentials.

If the access is always from one particular fixed IP address, you could refuse connections on your server from any IP address that was not in a config file you maintained.

Thank you. I think that you may be correct in that the grunt/angular development webserver is the issue. The odd part is that by clearing the '*' entry on the DreamFactory server, I can connect without any CORS problems. However, if I try to specify the domain then it won't work. I thought it may just be a matter of finding the right domain or IP address to list. But, it may just not work from a non-production server with the correct configuration? — Brian Fisher, Jul 28 '15 at 03:19

score 0 · Answer 2 · edited May 23 '17 at 11:58

0

You can't secure an API with CORS, for that you will need to implement an authentication scheme on your server. There's essentially 4 steps to do this.

Update the headers your server sends with a few additional Access-control statements.
Tell Angular to allow cross-domain requests.
Pass credentials in your API calls from Angular.
Implement an HTTP Authentication scheme on your web server or in your API code.

This post by Georgi Naumov is a good place to look for details of an implementation in Angular and PHP. AngularJS $http, CORS and http authentication

edited May 23 '17 at 11:58

Community

1
1

answered Jul 27 '15 at 03:35

Jason King

1

That is a good point. I'm not trying to use CORS to authenticate it though... just to allow a remote web server (my local grunt server in this case) to connect to it. Once I can connect, I can run the Authentication schemes built into DreamFactory. This all works if I clear * on the remote DreamFactory server's CORS configuration. It doesn't work if I try to clear anything else but '*'. I thought that there may be a specific entry that would clear it for my grunt server accessing from home? – Brian Fisher Jul 28 '15 at 03:31

What is the correct CORS entry for limiting an http:// connection to a remote, hosted web server from a grunt web server on a home network?

2 Answers2