Menu
I am wondering if there is an industry standard for better securing ajax calls on mobile.
My mobile app consists of my website's html, js, & css files -- but installs them locally on the mobile device for performance. The mobile devices' local index.html then calls my web server for data (Tomcat in this case).
The only way I have found this to work is to enable CORS in my servlet:
response.setContentType("text/html");
response.addHeader("Access-Control-Allow-Origin", "*");
response.addHeader("Access-Control-Allow-Methods", "GET, PUT, POST, OPTIONS, DELETE");
response.addHeader("Access-Control-Allow-Headers", "Content-Type");
response.addHeader("Access-Control-Max-Age", "86400");
But quite honestly, I dont like that for a variety of reasons but mainly -- anything can now query my webserver from any domain and get a response...
How can I achieve the same ajax call to my webserver from a mobile device using CORS - but in a more secure manner so that only my app is allowed access?
** OR ** Is CORS incorrect altogether in this case of mobile and there is a more standard/desirable solution?
854
Since a native app is not a web page loaded from any domain at all, CORS restrictions are not needed or applied, the app's HTTP functions never send an OPTIONS pre-flight, & the server serves the request without CORS ever entering into it. The same is true if you were to try these requests in Postman.
CORS adds another layer of security to help ensure that only trusted domains can access your site's resources. As mentioned above, most CORS vulnerabilities relate to poor validation practices due to response header misconfigurations. These relax security too much and allow non-trusted origins to access resources.
This is when CORS (cross-origin resource sharing) comes into play. CORS is a server-side configuration that may allow browsers to download resources bypassing the same-origin policy, specifying who can access resources and how.
CORS misconfigurations can also give attackers access to internal sites behind the firewall using cross-communication types of attacks. Such attacks can succeed because developers disable CORS security for internal sites because they mistakenly believe these to be safe from external attacks.
CORS is a standard for instructing browsers on what to do when a page from another domain tries to access your domain.
The key term there is browsers. Anyone can construct a request (forging whatever headers they like, including Origin) that hits your server. What the Same Origin Policy and CORS rely on is a cooperative browser placing limits on what foreign scripts can do.
So the news is good. Since your code runs in a private web view in an app, you presumably don't face the risk of a foreign site running code in your view. (As opposed to browsers, where many domains run code in the same browser.)
So, as long as your code is running only on the app, CORS does not make your site any more or less vulnerable than it would be otherwise.
183
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
