Security for cross-origin resource sharing

1
votes

I have 2 ruby on rails app sitting on 2 different domains (say www.exampleA.com and www.exampleB.com. I want to share resources between the 2 apps and I'm using CORS:

exampleA.com sends http POST request to exampleB.com.

At exampleB.com I'm checking request.env['HTTP_ORIGIN'] to make sure that the request comes from exampleA.com. If true I respond by setting the response headers to allow the http post request.

My question is can I use request.env['HTTP_ORIGIN'] as the only check to verify the identity of requester?

Is it possible for someone from www.exampleC.com to fake their HTTP_ORIGIN to look like www.exampleA.com and post malicious data? If so what's the best way to verify requester identity?

2
ruby-on-railssecuritycors
Never, ever trust anything from a client. A client can fake anything they send to the server. - Mitch Dempsey

2 Answers

3
votes

Origin is one of several header fields that cannot be set for a XHR request by page authors. So you’re safe to trust the Origin information of XHR requests.

But it is still possible for an attacker to send forged requests with malicious data directly. So you’re still required to validate incoming requests.

0
votes

Sorry, but it is trivially easy to fake most client-provided data, origin included, and hence it should not be used for any type of security.