-
Notifications
You must be signed in to change notification settings - Fork 6.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding a security section in the documentation? #152
Comments
The typical use case is to access a public resource that is not available due to the lack of CORS headers. As the operator of the server, the main risks are:
|
@Rob--W Thanks for your answer, I already learnt something :)
|
If you are considering Koa or Express, then you probably intend to use CORS Anywhere as a library. In that case, you can simply set
If you have an actual need for the functionality, please describe your use case I didn't add a commit yet, because it was unclear to me how others would like to configure the feature (e.g. via environment variables);
I think that you misunderstood my comment. The security issue is not "leaking" client URLs to the server, because by definition the client trusts the proxy server to handle requests on behalf of the client. Heroku does indeed offer a live log of requests (and if needed, I analyze these logs to counter abuse, e.g. as done in #45 and #129). The leak that I mentioned in my previous comment is when there is a server in your network (potentially a service at localhost on your computer) that is not supposed to be reachable by others outside your network. Usually, a firewall protects the resource from external access, and the Same-origin policy of web browsers prevent other web pages that you are visiting from reading data from such services. However, if you start a CORS proxy in your network, then these protections can be bypassed. The following two cases are most likely:
For these reasons, it's important to put the proxy on a network where it cannot access sensitive resources. |
I'm sure you've already seen it. This issue was mentioned in this penetration test report specific to AWS EC2 meta-data exploit: https://www.certik.com/resources/blog/technology/cors-anywhere-dangers-of-misconfigured-third-party-software |
Hello,
While I have a general understanding of web security, when I checked the documentation I saw that it would pretty easy to set this up. But the security question popped up in my mind immediately.
So I wondered how far is this secure, what options are "dangerous" and what potential risks are associated with using a solution like "cors-anywhere".
I guess the typical use case is to proxy ajax requests to a Web API that may or may not contain sensible information.
I'd like to add such section, like do/don't do or maybe just a link to a relevant article?
What do you think?
The text was updated successfully, but these errors were encountered: