prevent cors from same IP

Question

I'm developing something for internal use, the risk is, because our staff are using the same ip, thus they can send a rest request and insert something into the db. Even I minified my script, they can go to the network tab and see the request.

How to apply cors in this case?

Sounds like you need to add better security with a log in system/password/secret. — epascarello, Aug 12 '16 at 13:25
Cors won't help you if you can't separate good users from bad based on IP. And actually even if you could then cors still won't help you because people may simply curl you. What you actually need is proper authentication and privileges. **Do not ever** allow unauthorized access to your database. — freakish, Aug 12 '16 at 13:25
@freakish I'm not talking bout authroization to db, people who's on the same network can use postman to do something if they know my rest end point, aren't they? — Maria Jane, Aug 12 '16 at 13:48
@MariaJane If you allow anyone to call your app which then updates your db then you simply allowed unauthorized access to the db. There's a level of indirection but it doesn't change the fact. Ultimately every app is just a wrapper around db. It might not bite you now but it will eventually. — freakish, Aug 12 '16 at 15:17

score 2 · Answer 1 · answered Aug 12 '16 at 13:23

2

You can't.

The Same Origin Policy is there to stop a website you do not trust that is visited by someone you do trust, from using the visitor's browser to make requests to your server and stealing the data from it.

CORS is there to selectively disable the Same Origin Policy when there are third party websites you do trust with the data.

Neither of them solve the problem that you have users who you trust to change your database, but only through the client side UI you give them.

To solve that problem you need better server side authorisation logic.

To take a simple example, if you have a REST API that lets a user delete a comment by sending its ID then you should also require a username and password (or other form to authentication) to be included in the request which lets you know who is making the request. Once you know who is making the request, you must check that they are authorised to delete the comment. Typically that would be logic like:

if (comment.owner == user || user.has_role("admin")) {
    comment.delete();
} else {
    response.status.unauthorised();
    response.send();
}

answered Aug 12 '16 at 13:23

Quentin

914,110
126
1,211
1,335

imagine it is like an app where everyone can book a room, how are you going to set role? throught ajax I can change your role too. – Maria Jane Aug 12 '16 at 13:47
The role will be attached to the user in the database. A user's roles should only be editable by (for example) admin users… so test if the user requesting the change of role is an admin before allowing it. – Quentin Aug 12 '16 at 13:50
I think there's misunderstanding here, my concern is how to prevent people send ajax request using postman or whatever, because they are using the intranet aka internet network and our server is internal. – Maria Jane Aug 12 '16 at 14:25
"how to prevent people send ajax request using postman or whatever" — You cannot. You do not control the client. – Quentin Aug 12 '16 at 14:26
"because they are using the intranet aka internet network and our server is internal" — That's irrelevant. It's a network. If you don't trust everybody who has access to that network completely then you need server side authentication and authorisation. – Quentin Aug 12 '16 at 14:27
my internet server is 198.1.0.7 for example, and it's a localhost, means someone can just look at my ajax endpoint and use post man to push something to the db. – Maria Jane Aug 12 '16 at 14:44
@MariaJane — You keep repeating the problem. You can't stop people making requests to your server. I've explained how to fix it. You need the REST API server to implement authentication and authorization. – Quentin Aug 12 '16 at 15:06
how to implement that without using roles? says it's a game that allow everyone to submit their score, roles doesn't help in that case. – Maria Jane Aug 12 '16 at 15:44
http://stackoverflow.com/questions/7171101/prevent-cheating-on-javascript-game – Quentin Aug 12 '16 at 15:48

prevent cors from same IP

1 Answers1