Whitelisted CORS using Apache

2019-07-20 03:33发布

站内问答 / 前端开发
726 1 2

I am looking to set up my (Red Hat Linux/Apache 2.2.3) website to allow Ajax calls from HTML5 apps written in Javascript where these scripts might be hosted elsewhere.

This is what CORS is all about.

There are many descriptions of how to enable CORS via mod_headers. Just about all of them set the Access-Control-Allow-Origin header to "*" which opens the site up to the world.

But the Same-origin policy is in place for a reason and this level of access raises real security questions.

How can I whitelist the sites (could be dozens of them, but sites of people I have business relationships with) I want without opening my site to the world?

The only discussion I've seen that discusses this is http://blog.blakesimpson.co.uk/read/64-apache-configure-cors-headers-for-whitelist-domains but:

  1. That page, while insightful, was not thorough.
  2. The approach does not look manageable with a largish number of allowed origins.

What are security-conscious web administrators doing?

1条回答
叛逆
2楼-- · 2019-07-20 04:15

You can put your all whitelisted domain as below and also define generic regexp match for more flexibel to whitelist domains.

<IfModule mod_headers.c>

   ##########################################################################
   # 1.) ENABLE CORS PRE-FLIGHT REQUESTS
   # e.g. PUT, DELETE, OPTIONS, ...
   # we need to set Access-Control-Allow-Headers and
   # Access-Control-Allow-Methods for allowed domain(s)
   ##########################################################################

   # first check for pre-flight headers and set as environment variables
   # e.g. header method-a is set here
   SetEnvIf ^Access-Control-Request-Method$ "method-a" METHOD_A
   SetEnvIf ^Access-Control-Request-Headers$ "^Content-Type$" HEADER_A

   # set corresponding response pre-flight headers for allowed domain(s)
   Header set Access-Control-Request-Methods "method-a" env=METHOD_A
   Header set Access-Control-Request-Headers "content-type" env=HEADER_A

   # TODO: add allowed additional pre-flight requests here...

   #########################################################################
   # 2.) ENABLE CORS *SIMPLE REQUESTS* (vs. Pre-Flight Requests from above)
   # e.g. GET, POST and HEAD requests
   # we need to set Access-Control-Allow-Origin header for allowed domain(s)
   # also note that POST requests need to match one of the following
   # Content-Type:
   # 1) application/x-www-form-urlencoded
   # 2) multipart/form-data
   # 3) text/plain
   #########################################################################


   # e.g. origin = https://host-b.local
   SetEnvIfNoCase Origin "https://host-b.local" AccessControlAllowOrigin=$0
   Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin


   # generic regexp match for more flexibel use cases
   #SetEnvIfNoCase Origin "((http(s?))?://(www\.)?(host\-a|host\-b)\.local)(:\d+)?$" AccessControlAllowOrigin=$0
   #Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin

   # TODO: add additional whitelisted domain here...

</IfModule>
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(2)