Requests hit production Rails API despite Rack::Cors

Question

I have a Rails API and I have Rack::Cors setup in my application.rb to prevent requests from any origin other than https://my-website.com as:

config.middleware.insert_before 0, Rack::Cors do
  allow do
    origins 'https://my-website.com'
    resource '*',
             headers: %w[Authorization],
             methods: %i[get post put delete options head],
             expose: %w[Authorization]
  end
end

Additionally I allow websocket connections as:

config.action_cable.url = %r{/wss:\/\/*/}
config.action_cable.allowed_request_origins = 'https://my-website.com'

And lastly I have a status checker for my Application Load Balancer and for that I allow http requests to /status as:

config.force_ssl = true
config.ssl_options = {
  hsts: { subdomains: true },
  redirect: { exclude: ->(request) { request.path =~ /status/ } }
 }

So as you can see every path except /status should be https only but I am still getting errors such as below in my production error tracker:

#590 ActionController::RoutingError: No route matches [OPTIONS] "/"

In the details I get the source as:

How is it possible for someone to manage to reach my actual route when the origin is not added in my CORS configuration?

Someone could use not-a-browser to do HTTP request to your server. — Pavel Mikhailyuk, Jun 26 '19 at 14:09
Last line(`OPTIONS /`) is a pretty standard "CORS pre flight request" when someone visits `https://ip/` — Pavel Mikhailyuk, Jun 26 '19 at 14:10
@PavelMikhailyuk and the cors would allow a non-browser request to the server? — anonn023432, Jun 26 '19 at 14:10
CORS is not a "protection of the server". It's just "advice" to the browsers. — Pavel Mikhailyuk, Jun 26 '19 at 14:12
https://stackoverflow.com/questions/4850702/is-cors-a-secure-way-to-do-cross-domain-ajax-requests — Pavel Mikhailyuk, Jun 26 '19 at 14:14
Thank you for the detailed information and the link. From the link you added it seems like there isn’t any way to prevent the requests themselves and the only thing I can do is to make sure all the relevant requests have authentication blocks in my code. Please let me know if my understanding here is incorrect and there is something I can do to prevent this — anonn023432, Jun 26 '19 at 14:16
Yes, you are right: when you have a public endpoint, anyone can do request. Moreover, when you have a production app, you watch a lot of requests from bots, hackers etc in your logs every day. So, the only way is to implement authentication. — Pavel Mikhailyuk, Jun 26 '19 at 14:55

score 2 · Accepted Answer · answered Jun 26 '19 at 14:17

Rack::Cors only responds to OPTIONS request if request has Access-Control-Request-Method header, if someone issues that request without it - request will hit your regular routing.

Also note that CORS is only a method for browsers to allow cross-origin requests, anyone can use some non-browser script or tool to forge any requests they want.

Requests hit production Rails API despite Rack::Cors

1 Answers1