Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Compatibility of the "Origin" http header for enforcing restrictions

Tags:

json

rest

browser

http

security

I am building a RESTful JSON api and I am concerned about json data theft and Cross-Site Request Forgery.

A good solution that was created to address both of these problems is the Origin http header. However I am concerned that this method isn't compatible with all modern browsers. Is this a valid concern? Is the Origin http header useless due to compatibility problems? Should the origin ever be considered when performing an HTTP referer check?

like image 585
rook Avatar asked Apr 05 '12 17:04

rook

People also ask

What is Origin header in HTTP?

The Origin HTTP Header is a response HTTP header that indicates the security contexts that initiates an HTTP request without indicating the path information. The Origin header is added by the browser and can not be controlled by the user.

What is CORS compatibility?

The CORS mechanism supports secure cross-origin requests and data transfers between browsers and servers. Modern browsers use CORS in APIs such as XMLHttpRequest or Fetch to mitigate the risks of cross-origin HTTP requests.

How do you avoid strict origin when cross-origin?

In Google Chrome, you can easily disable the same-origin policy of Chrome by running Chrome with the following command: [your-path-to-chrome-installation-dir]\chrome.exe --disable-web-security --user-data-dir . Make sure that all instances of Chrome are closed before you run the command.

2 Answers

Here's a list of compatible browsers and known issues. Now it's up to you if you can live with these limitations:

Can I use...

like image 115
Eran Boudjnah Avatar answered Oct 05 '22 18:10

Eran Boudjnah

It's a valid concern. Someone could be using an older browser that doesn't fully support it. There might also be a bug in a beta version.

Also consider adding X-Frame-Options: SAMEORIGIN to your JSON API to prevent someone from including your site into an iframe.

Also consider prepending your returned JSON responses with special characters and manually strip them off in your JSON decoder. This is how Google does it: Why does Google prepend while(1); to their JSON responses?

Also consider, for extra, extra security, to include a nonce for each request, and sign the request to verify it came from your code instead of a phishing site. This is similar to how OAuth1.0 works. An alternative, is to generate a token for each session, which automatically expires, and to refresh the token when needed. This is how OAuth2.0 works. This allows invalidating access on demand, for example, if you find a bug, so old clients must upgrade.

like image 34
Chloe Avatar answered Oct 05 '22 18:10

Chloe
Sign in to Comment

Related questions

how to put a python dictionary in a protobuf message?
select multiple attributes with jsonpath
How can I read http errors when responseType is blob in Axios with VueJs?
Dynamic polymorphic type handling with Jackson
Fluent converters/mappers with Json.NET?
Typeahead in rails app: Append JSON request to only one specific request instead of appending JSON request to every request via prefetch
How to parse typescript definition to json?
(Moshi in kotlin) @Json vs @field:Json
Loading local data for visualization using D3.js
Parse only one level of json
JSON.stringify extra quotes
Modify fluentd json output
ECONNREFUSED when making GET request in app, but API returns JSON successfully
Java check if a string is valid JSON or valid XML or neither
iPhone SQLite DB and Web-based DB synchronization and interaction recommendations
Handsontable Replace autocomplete values with key before posting
Convert Hashmap to JSON using GSON
Exclude fields in json Using Jackson and Json-View
Building queries dynamically in rails
Lucene-like searching through JSON objects in JavaScript

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!