If ($http_origin ~* ^(https?://+(:\d+)?)/?.*?$ ) ) ) Headers in the Response Access-Control-Allow-Credentials: trueĬontent-Type: application/json charset=utf-8 I suppose the only thing they might do with something reflecting what's sent is try to exploit some client header handling exploit which seems a bit far fetched (and the use of. ![]() Can the user inject anything malicious? If they try to inject a new line then they'll just be sending another header rather than injecting a response header. My instinct for security also tells me that you might want to validate the origin header though I have to wonder how far to really go with this. If the sample you posted goes into something with another if statement then it can be wiped out if another if matches. Once you need to go into if space, you might find yourself really wanting a module for this. Nginx configuration doesn't appear to make use of an ordered map or ordered list and the most prevalent documentation on the matter is confusing. It's really hard to find out how if actually works in nginx. There's another option not included of also falling back to the referrer. That can be some confusion as not everyone who wants "withCredentials" actually wants anything to do with credentials so the security concern goes poof. The always directive just means use it for any status code. ![]() The problem is, the origin header isn't always set from what I'm seeing. If you want a wild card domain, I'd set the default to that. # Tell client that this pre-flight info is valid for 20 daysĪdd_header 'Access-Control-Max-Age' 1728000 Īdd_header 'Content-Type' 'text/plain charset=UTF-8' # Custom headers and headers various browsers *should* be OK with but aren'tĪdd_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' Add_header 'Access-Control-Allow-Origin' '*' Īdd_header 'Access-Control-Allow-Credentials' 'true' Īdd_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |