4

Lambda receives an event that has these headers coming from a request sent to my API Gateway endpoint. (source: Cloudwatch log)

I wonder why there is no origin in the header but most other requests from the same API Gateway endpoint have origin set as my website.

 'headers': {'Cache-Control': 'no-cache', 'Host': '***.execute-api.us- 
 east-2.amazonaws.com', 'X-Amzn-Trace-Id': 'Root=1-***', 'X-Forwarded- 
 For': '***.***.7.182', 'X-Forwarded-Port': '443', 'X-Forwarded-Proto': 
 'https'}

Questions:
1) Does it mean it is invoked programmatically?
2) Do some browsers not attach origin header?
3) How do I identify if this request was invoked from my website?

Edit:
I believe some of these requests are most probably requests coming from my website. However, these requests don't have origin nor referer but they do have a user agent header.

Questions:
4) Under what situation, would origin and referer not set? Is there a referer policy that I can set in my code to ask for origin and referer?
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

Thanks

Jun
  • 2,942
  • 5
  • 28
  • 50
  • 1) Yes it either means the endpoint was called programatically by some non-browser client code, or else somebody navigated directly to the endpoint URL in a browser (in which case no Origin header is sent. 2) Browsers always send the Origin header if the request is made from frontend JavaScript code using XHR or the Fetch API or an Ajax library. 3) You can check the request headers for any headers that would identify the request as coming from your site; e.g,. the Referer header – sideshowbarker Nov 08 '18 at 21:34
  • @sideshowbarker 1) In case of navigated directly to the endpoint URL in a browser (in which case no Origin header is sent, I only set up POST method, thus, the user won't receive anything by navigating to the endpoint URL, right? 2) I see. How did you know about this? from w3 document? 3) There is no referer in these requests either. When there is a referer, there is an origin as well in the headers as far as I notice. – Jun Nov 08 '18 at 21:47
  • 1
    1) The user will get whatever response the endpoint is configured to send for GET requests; so if the endpoint only sends success responses for POST requests, I guess that means the user will get an error response. 3) Then you know very clearly that request was not invoked from your own website. – sideshowbarker Nov 08 '18 at 21:52
  • @sideshowbarker I am reading this doc: https://www.w3.org/TR/cors/#origin-request-header to learn more about CORS I think I can find info regarding your reply to question 2 there – Jun Nov 08 '18 at 21:55
  • 1
    Don’t read https://www.w3.org/TR/cors/. It’s obsolete — years out of date. The current CORS requirements are in the https://fetch.spec.whatwg.org/ spec. See also the **When browsers must send the Origin header** section of the answer at https://stackoverflow.com/questions/42239643/when-does-firefox-set-the-origin-header-to-null-in-post-requests/42242802#42242802 – sideshowbarker Nov 08 '18 at 22:00
  • @sideshowbarker and User-Agent header must be in the request headers if a request comes from a standard browser, right? – Jun Nov 09 '18 at 00:53

0 Answers0