0

I created the following...

  1. One backend .NET Core POST API running on IIS
  2. Two UI apps created with Angular CLI and running with the port 8888 and 9999 respectively
  3. I have enabled CORS in .NET Core application

While integrating CORS in .NET Core, I have added the following in startup.cs

Startup.cs

public class Startup
    {
        readonly string _allowSpecificOrigins = "_allowOrigin";

        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddControllers();
            services.AddCors(policy =>
            {
                policy.AddPolicy(name: _allowSpecificOrigins, options => options.WithOrigins("http://localhost:9999").AllowAnyHeader().AllowAnyMethod());
            });            
        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }
            
            app.UseRouting();
            app.UseCors(options => options.WithOrigins("http://localhost:9999").AllowAnyHeader().AllowAnyMethod());
            app.UseAuthorization();
            
            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllers().RequireCors(_allowSpecificOrigins);
            });
        }
    }

And CORS is perfectly working as expected. For testing, I have created two angular applications which are running with the two different port 8888 and 9999. PORT 9999 is configured and allowed in the startup.cs to be accessible the API. So, from the PORT 9999, application can access the API while the application with the PORT 8888, could not access the API due to CORS error as you can see the responses.

API response when calling from the url http://localhost:8888

API response when calling from the url http://localhost:9999

Now problem is that, I can still access the same API from POSTMAN after overwriting all the headers

  • Accept
  • Accept-Encoding
  • Connection
  • Referer
  • or even User-Agent

Please look at the response received from POSTMAN

Any help is greatly appreciated. Thank you.

Sukanta Roy
  • 19
  • 4
  • https://stackoverflow.com/questions/36250615/cors-with-postman – Amith Jul 09 '21 at 08:08
  • Seems your `Startup.cs` implementation for `CORS` are right. `POSTMAN` has some inner functionality to break that, so would suggest to not consider `POSTMAN` in this case, you can try accessing from other `Web App` or `Application` `CORS` should be enforsed. Let me know if you can access from other application as well, then we could investigate further. – Md Farid Uddin Kiron Jul 09 '21 at 09:56
  • @MdFaridUddinKiron: For testing, I have created two angular applications which are running with the different port 8888 and 9999. PORT 9999 is configured and allowed in the startup.cs to be accessible the API. So, from the PORT 9999, application can access the API while the application with the PORT 8888, could not access the API due to CORS error. – Sukanta Roy Jul 09 '21 at 10:16

2 Answers2

1

To protect your API I recommend using JWT Token. You can add [Authorize] to your consumable Restul APIs and only those who have the tokens will be able to consume APIs. You can also manage roles and many more with it. For example: [Authorize(Roles = "Admin") will result in a consumable api only by Admin roles. I recommend you check this out: https://jasonwatmore.com/post/2019/10/11/aspnet-core-3-jwt-authentication-tutorial-with-example-api

Murat Şanlısavaş
  • 158
  • 9
0

CORS is enforced by the browser. Tools like POSTMAN don't enforce CORS.

Amith
  • 730
  • 6
  • 22
  • 2
    Also, the Postman call is not cross-origin. Postman can be seen as a machine-to-machine communication. – Silvermind Jul 09 '21 at 08:09
  • So, please let us know how could we protect our APIs from POSTMAN. – Sukanta Roy Jul 09 '21 at 08:13
  • 1
    @SukantaRoy CORS is to protect the user, not your server. If you do not want your api's to be accessed by unauthenticated users, then you would have to use authentication. – Silvermind Jul 09 '21 at 08:17
  • Yes, thank you for your reply. But we can still overwrite token and other authorization attributes (may be taken from another valid authentication) to header. – Sukanta Roy Jul 09 '21 at 08:25
  • @SukantaRoy Depending on the authentication method, but lets assume a jwt; a jwt is personal, so should be kept in such a way that it is not easy to get, but also short-lived, you can use refresh tokens to keep your session state and a token should be validated by issuer and audience. There is much more to it than that, but these are the basic essentials. If you're unsure whether the mechanism is safe you could read into oauth2 and/or open-id. – Silvermind Jul 09 '21 at 20:54