5

I've recently deployed my website and my back-end on the same vps, using nginx, but now when I do a request with PostMan to http://IP:port/route - I get the response from the server from any PC. I think this not how its suppose to work. I set the CORS options to origin : vps-IP (so only my domain), but my server still accepts the requests from PostMan. Is there any way to prevent my back-end from accepting these requests limiting the domain to only my domain AKA my vps ip? And must the requests bypass nginx first?

Another question is to protect my website; important request and response headers are showing in the browser network tab - like Authorization JWT token, is this normal or is this some security risk?

Mavi Domates
  • 4,262
  • 2
  • 26
  • 45
The pyramid
  • 313
  • 1
  • 6
  • 18
  • What? If your backend wasn't generally accessible, how would your frontend ever work? – jonrsharpe Dec 15 '18 at 20:19
  • they are on the same server , and i want nginx to redirect api call to localhost , back-end – The pyramid Dec 15 '18 at 20:20
  • 1
    The same server might serve the frontend files, but they'll actually be running on the client. They need to be able to hit the backend from there. – jonrsharpe Dec 15 '18 at 20:22
  • i understand , but i'm really new to securing website after deployment , but if any one know the ip of vps , and it's easy they can send thousands of requests , not just with postman , is this right or there is nothing i can do about that . – The pyramid Dec 15 '18 at 20:37

2 Answers2

10

I think there's a bit of confusion here regarding CORS.

Cross Origin Resource Sharing is not used for desktop client to server / or server to server calls. From the link:

Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell a browser to let a web application running at one origin (domain) have permission to access selected resources from a server at a different origin. A web application makes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, and port) than its own origin.

So it's a web application (which means through browser) to a server concept and it's actual functionality is implemented by browsers.

  1. Is this normal? Yes it is. This means that people who are using Postman can make requests to your server and it's your responsibility to ensure that you're protected against stuff like that. What browsers would do is they would take a look at what domains you allow your server to be called from and if it is a different domain trying to access the resource they will block it. Setting the list of domains that can access to your resources is your / your server's responsibility, but enforcing that policy is the browser's responsibility. Postman is not a browser, therefore this functionality isn't needed.

  2. If you are showing/leaking the tokens in the headers (in a different device than what you have authenticated with or before signing in) - that's a serious security problem. If it's happening on the device that you've signed-in and only after you signing in, then it's expected. This is assuming that you don't leak the information in any other way and designed / implemented it correctly.

  3. There are prevention mechanisms to what you're worried about. And you might be on a service like that without even noticing it, your hosting / cloud deployment provider might have either an implementation or an agreement with another company / tool so you might be already protected. Best to check!

These

are the first paid services to appear on a quick search, I'm sure there are more. There are also simple implementations which will offer some protection:

Mavi Domates
  • 4,262
  • 2
  • 26
  • 45
6

Nodejs - Express CORS:

npm i --save cors and then require or import according to your use case.

To enable server-to-server and REST tools like Postman to access our API - 

var whitelist = ['http://example.com']
var corsOptions = {
  origin: function (origin, callback) {
    if (whitelist.indexOf(origin) !== -1 || !origin) {
      callback(null, true)
    } else {
      callback(new Error('Not allowed by CORS'))
    }
  }
}

app.use(cors(corsOptions));

To disable server-to-server and REST tools like Postman to access our API - Remove !origin from your if statement.

var whitelist = ['http://example.com']
var corsOptions = {
  origin: function (origin, callback) {
    if (whitelist.indexOf(origin) !== -1) {
      callback(null, true)
    } else {
      callback(new Error('Not allowed by CORS'))
    }
  }
}

app.use(cors(corsOptions));

It's really easy to implement and there are many options available with express cors module. Check full documentation here https://expressjs.com/en/resources/middleware/cors.html

Smit Patel
  • 1,682
  • 18
  • 23