1

TLDR: I read that the "origin" header can be set manually for requests, and that CORS policy are only securing browser requests. how can I make my app securely send data to allowed origins ?

I am making a personal server with express that fetches and deliver data from multiple sources to multiple targets, including a static website

On this api I use a few express routes & socket.io, but to keep it simple i am only going to talk about express routes.

I already implemented CORS policy by adding an Access-Control-Allow-Origin header in the response, but I could read that CORS are not enabled for program or server requests (like curl)

So I added a little logic to check if the "origin" header was in my whitelist, like this :

// cors middleware

module.exports = function corsCheck (req, res, next) {
  const origin = req.header("origin")
  const host = req.header("host")
  
  // list of allowed origins
  const allowed = [
    "https://gui3.github.io" 
  ]
  
  res.header({
    // "Content-Type": "application/json",
    "Access-Control-Allow-Headers": "Origin, X-Requested-With, Content-Type, Accept"
  })
  
  if (allowed.includes(origin)) { // here is the cross origin logic
    res.status(200)
    res.header("Access-Control-Allow-Origin", origin)
    next()
  }
  else {
    console.log("403 forbidden request")
    res.status(403)
    
    res.json({
      allowed: false,
      error: "403 forbidden access"
    })
  }
}

and in app.js

// ... express stuff

// send data
app.get("/data", corsCheck, (req, res) => {
  
  res.send(data)
})

// more express stuff

This is working fine for now, but I read here that you can specify a handmade origin at least in curl.

My question is :

How can I be sure of the true origin of a request ? and how can I make my api open to requests that only come from my static website ?

PS : I though of some kind of password in a custom header, but since my site is static, I don't know how to have a secure password in an open source static website.

gui3
  • 1,711
  • 14
  • 30
  • You can implement swagger in your application and there you can define the origins which you want to allow – Shikhar Mar 17 '21 at 15:01
  • thanks @Shikhar , I looked at swagger and it seems like a huge magik opaque box of a framework... I am doing this server for learning purpose so I would like a more lightweight or handmade way to do it... – gui3 Mar 17 '21 at 15:07

1 Answers1

1

It looks like you will need more then CORS for your Problem.

Try to implement an authentication system with A JSON Web Token (https://jwt.io/)(https://www.youtube.com/watch?v=7Q17ubqLfaM) or Sessions (https://www.npmjs.com/package/express-session), because Headers can be set manually and can be unreliable.

If you have the capabilities, also Try to look into HTTPS, it's more secure, this Thread has more Information on that: Enabling HTTPS on express.js

And be sure to have a look at the cors module (https://www.npmjs.com/package/cors)! It can be configured for your needs. Just look into the documentation

Have a nice day!

Schwieriiiiig
  • 103
  • 6
  • 1
    Thanks for the documentation ! I sure will have a look at it ! I was wandering on security topics and I am in the process of adding sessions and maybe TSL, but your links are most welcome! I'll mark your answer as accepted in a few days if nobody comes out with a better one – gui3 Mar 17 '21 at 16:29
  • hope you can do more with it! have a nice one – Schwieriiiiig Mar 17 '21 at 16:39