How can I dynamically set CORS in <ktor.io>? Unfor...
# server
j
How can I dynamically set CORS in ktor.io? Unfortunatelly
call.request.origin.host
returns
localhost
and after some reconfiguration of nginx it returns
<http://backend.domain.com|backend.domain.com>
instead of
<http://frontend.domain.com|frontend.domain.com>
. Setting up CORS for all endpoints with
host("<http://frontend.domain.com|frontend.domain.com>")
works properly, allows only frontend domain, and blocks all other
I can see that
Referer
header has proper address
<http://frontend.domain.com|frontend.domain.com>
- is it safe to use it to block using my backend on some origins?
h
Not quite sure about the initial question but do not rely on the Referer header! It is easily spoofable.
j
Basically I need origin. But i dont get 'origin' header, and 'host' header points to my backend
I need something not spoofable, taht will give me real hostname of frontend using my backend in iframe
h
Do you use a reverse proxy in front of your backend?
You can usually configure it (nginx / Apache httpd) to send you the original hostname used in a custom header. This header is only used by your reverse proxy and it will override / ignore it, when someone outside tries to set the header
j
Yes
h
A quick search brought up this article for NGINX: https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/
j
I will take a look into it
h
If you use httpd, search for http x-forward-for 😉
Fingers crossed. Let us know how it goes
j
I will let you know tomorrow
So i took a look into this. It doesn't help because new headers do not appear. But as I read, CORS can be spoofed easily too, it is client side protection. On backend i have one endpoint which returns HTML, it is intended to be displayed in iframe. But I want to block some users from putting in iframe on their public sites, it doesnt need to be protected from gathering this data at all. In such case Referer would be good enough? If i read well, Referer can be spoofed in postman, curl, custom browser etc. but majority users wont use such tools just to display iframe on someones site
So putting it in simple words and confirming: Can Referer header be set just in JS frontend app?
h
Oh, this is nothing you would check on the server side.
So you can send headers that define who is allowed to to use it in (i)frames
Rule of thumb: Never trust user data. This includes the http headers
In this case, you send header and because “legit” browsers respect them, an attacker would have to get a hacked browser to the victim’s computer before he can work around the headers. This is very unlikely and can’t be counteracted. There is only so much we can do 😉