I have 2 ruby on rails app sitting on 2 different domains (say www.exampleA.com
and www.exampleB.com
. I want to share resources between the 2 apps and I'm using CORS:
exampleA.com
sends http POST request to exampleB.com
.
At exampleB.com
I'm checking request.env['HTTP_ORIGIN']
to make sure that the request comes from exampleA.com
. If true I respond by setting the response headers to allow the http post request.
My question is can I use request.env['HTTP_ORIGIN']
as the only check to verify the identity of requester?
Is it possible for someone from www.exampleC.com
to fake their HTTP_ORIGIN to look like www.exampleA.com
and post malicious data? If so what's the best way to verify requester identity?