Sunday, June 22, 2025

Cross-Origin Resource Sharing (CORS) | Overview.

Here’s twtech overview of Cross-Origin Resource Sharing (CORS).

Scope:

  • Intro,
  • Setup
  • Server-Side Configuration,
  • Sample: Express.js Setup
  • Benefits
  • Limitations
  • Use cases,
  • Best Practices,
  • CORS Headers Architecture,
  • Common CORS Headers,
  • Sample CORS Headers (Response)
  • Preflight Requests,
  • Request,
  • Response,
  • Security.

 Concept of CORS

  • Cross-Origin Resource Sharing (CORS) is a security feature implemented by web browsers to control how web pages access resources from different origins (i.e., domains, protocols, or ports).
  • By default, browsers restrict cross-origin HTTP requests initiated from scripts to protect users from malicious websites (a principle called the Same-Origin Policy).
  • CORS allows servers to declare which origins are permitted to access their resources using specific HTTP headers.

 Setup

1. Server-Side Configuration

To enable CORS, the server must include specific headers in its HTTP response:

Common CORS Headers:

Header

Purpose

Access-Control-Allow-Origin

Specifies allowed origins (e.g., *, https://twtechapp.com)

Access-Control-Allow-Methods

Allowed HTTP methods (e.g., GET, POST, PUT, DELETE)

Access-Control-Allow-Headers

Allowed custom headers (e.g., Content-Type, Authorization)

Access-Control-Allow-Credentials

Whether credentials (cookies, HTTP auth) are allowed

Access-Control-Expose-Headers

Headers accessible to the client

Access-Control-Max-Age

How long the results of a preflight request can be cached

2. Sample: Express.js Setup

# js
const express = require('express');
const cors = require('cors');
const app = express();
app.use(cors({
  origin: 'https://twtechapp.com',
  methods: ['GET', 'POST'],
  allowedHeaders: ['Content-Type', 'Authorization'],
  credentials: true
}));
app.get('/data', (req, res) => {
  res.json({ message: 'CORS Enabled!' });
});

Benefits

  •         Security: Protects resources from unauthorized cross-origin access.
  •         Flexibility: Allows specific origins and methods instead of blocking all cross-origin requests.
  •         Granular control: Supports fine-tuning of who can access what via HTTP headers.
  •         Interoperability: Enables safe data sharing between frontends and APIs hosted on different domains.

 Limitations

  •         Browser-enforced only: CORS is enforced by browsers, not by servers or non-browser clients.
  •         Doesn't block malicious requests: CORS doesn’t secure the server; it controls how browsers behave. Always validate requests server-side.
  •         Complexity with credentials: Allowing credentials (withCredentials) can introduce CSRF risks if not carefully handled.
  •         Not a security measure alone: CORS is a relaxation of security, not a defense mechanism itself.

 Use Cases

Use Case

Description

Single Page Applications (SPAs)

Frontend on one domain accessing APIs on another domain.

CDNs and APIs

Allow public access to resources via CORS (e.g., fonts, public APIs).

Microservices architectures

Backend services communicating via REST/GraphQL with frontends hosted elsewhere.

Cross-domain iframe communication

When a script inside an iframe communicates with a parent domain.

Third-party integrations

Allow limited access to APIs from partner domains.

 twtech Best Practices

  •         Only allow trusted origins, not *, especially when credentials are used.
  •         Validate CORS headers against known lists on the server.
  •         Use HTTPS to prevent man-in-the-middle (MITM) attacks.
  •         Combine with other security measures: CSRF tokens, authentication checks, rate limiting, etc.

CORS Headers Architecture


  • CORS (Cross-Origin Resource Sharing) headers are HTTP headers used to control how web resources (like fonts, APIs, images) hosted on one domain can be accessed from another domain (a different "origin").
  •  CORS is a critical security mechanism implemented in web browsers to allow or restrict such cross-origin requests.

 Common CORS Headers

Header

Description

Access-Control-Allow-Origin

Specifies which origin(s) are permitted to access the resource.

Access-Control-Allow-Methods

Lists the HTTP methods (GET, POST, etc.) allowed when accessing the resource.

Access-Control-Allow-Headers

Lists the request headers the client can use in the actual request.

Access-Control-Allow-Credentials

Indicates whether credentials (cookies, HTTP authentication) are allowed.

Access-Control-Expose-Headers

Specifies which headers are safe to expose to the client.

Access-Control-Max-Age

Indicates how long the results of a preflight request can be cached.

Sample CORS Headers (Response)

# http

Access-Control-Allow-Origin: https://twtechapp.com

Access-Control-Allow-Methods: GET, POST, PUT

Access-Control-Allow-Headers: Content-Type, Authorization

Access-Control-Allow-Credentials: true

Access-Control-Max-Age: 86400 

 Preflight Requests

  • For requests with methods like PUT, DELETE, or custom headers, browsers send a preflight OPTIONS request to check permission:

Request:

# http 

OPTIONS /api/data HTTP/1.1

Origin: https://client.twtechapp.com

Access-Control-Request-Method: PUT

Access-Control-Request-Headers: Content-Type

Response:

#  http

Access-Control-Allow-Origin: https://client.twtechapp.com

Access-Control-Allow-Methods: PUT

Access-Control-Allow-Headers: Content-Type

Access-Control-Max-Age: 86400

 Security Tips

  • Use specific origins (https://twtechapp.com) rather than * to avoid exposure.
  • Don’t allow credentials (Allow-Credentials: true) unless necessary.
  • Always configure CORS server-side (e.g., in API or web server settings like NGINX, S3, Express.js).

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...