AWS Cognito and CORS Security Concern

3
votes

I have a web client making requests to AWS Lambda via the AWS API Gateway. I'm using AWS Cognito, alongside Auth0, to authenticate users.

My question is related to the CORS response headers from the AWS API Gateway endpoint, specifically the Access-Control-Allow-Origin response header that is set to any "' * '". This article indicates the risks of using the any "' * '" parameter, namely that a 'hacker can coopt our site to request any method' on our back-end: (CORS Security link).

While Cognito's authentication may prove that the end user making the request is who he says he is, Cognito's authentication does not necessarily prove that the website that is making the request on behalf of the user is mywebsite.com rather than attacker.com.

Does Cognito guarantee that the request is coming from mywebsite.com?

Is there a secure way to implement the any "' * '" Access-Control-Allow-Origin response header?

1
amazon-web-servicessecuritycorsamazon-cognitoauth0
"My question is related to the CORS headers in the POST requests being sent to AWS" Which part of AWS? The cognito service, or your API Gateway endpoint? Access-Control-Allow-Origin is a response header, not a request header, so this isn't being "sent to," it's being "received from" ...from what, exactly?Michael - sqlbot
It's a response header, received from the AWS API Gateway endpoint. Thanks, I've edited the post.timberlakegregg

1 Answers

4
votes

Does Cognito guarantee that the request is coming from mywebsite.com?

No. Cognito is agnostic of your domain. All it cares about is user authentication/management.

Is there a secure way to implement the any "' * '" Access-Control-Allow-Origin response header?

Well yes and no. As you said in your post, Cognito will authenticate the user So that means with Access-Control-Allow-Origin '*' set, any domain is allowed to make a Cross Origin request, but if they can't provide a valid authentication token, then they get get a 401 error back.

If you want to limit what domain can has access, then you can't use ''. '' is a wildcard and hence allows any value. So if you'd instead like to only have mywebsite.com be able to make a CORS request, then replace the '*' with 'mywebsite.com'. This makes it so only requests from that domain are allowed. Requests from attacker.com will now fail because they won't have the proper headers.