0

We have an public facing web-server, with a custom API feature to allow users to download data associated with a website we've developed. It's just an option to give users the data behind the website, for their own personal use and in json format.

My question is not related to any errors or issues, as such. It's a question on security and if the way we've done it is safe.

I am new to CORS and wondered if doing this, is secure enough?

builder.Services.AddCors(p =>
    p.AddPolicy("corsapp", builder =>
        {
            builder.WithOrigins("*").AllowAnyMethod().AllowAnyHeader();
        }));

The data we provide is very limited and has no personal or identifiable information that would be of value to a hacker. In fact the data can be sourced from the internet in other websites.

Is the above builder ok as is, or should we be specific with our domain URL in case hackers get past the API's default protection? By default I mean we are not programming any specific security features into our API. I just built it using VS2022, with the default project template for API development in C#.

Thanks

UPDATE

Please provide links or examples on how to properly setup CORS on an API without authentication. As I said in my OP, our API does not require authentication - it's just a straight data dump. However, with the above Builder, we are concerned of other possible vulnerabilities (if any!) - OR is CORS by default is "safe"?!

Fandango68
  • 4,461
  • 4
  • 39
  • 74

1 Answers1

1

In your use case it is safe (at least for you, generally no), with CORS you are allowing browsers to initiate cross-origin HTTP request from scripts. (javascript) but you don't need this (your users are downloading from the same site, and probably not with js).

What is CORS?: (source):

  • Is a W3C standard that allows a server to relax the same-origin policy.
  • Is not a security feature, CORS relaxes security. An API is not safer by allowing CORS.
  • Allows a server to explicitly allow some cross-origin requests while rejecting others.

If your API is used from the same domain only (subdomains count as a different origins, also scheme counts as a different origin (http vs https), ports too), then you don't have to use CORS.

By default nothing is allowed, but if you want to provide access to some other sites to access your resources (from different domains), then you can allow that site some selected methods. (add them as exception - the sites you trust)

You can also limit in your controller to just allow on some methods (not globally), that way you minimize the attack surface.

Note: in first try I would disable CORS (it is disabled by default), and if nothing breaks, you never needed to enable it (if you need to enable it, do it in the most strict way - see source above).

IamK
  • 2,753
  • 5
  • 30
  • 39
  • So it's *not* safe, because that disables CORS and allows a malicious script to load anything else it likes – Panagiotis Kanavos Oct 06 '22 at 07:41
  • In most cases it is not safe (for example if you could change the password of users), but if you look at the use case (for downloading files) it is safe. – IamK Oct 06 '22 at 07:43
  • Thanks for answering. Could you elaborate or provide links to examples on how to properly setup CORS on an API without authentication? As I said in my OP, our API does not require authentication - it's just a straight data dump. However, with the above Builder, we are concerned of other possible vulnerabilities (if any). – Fandango68 Oct 07 '22 at 02:37