CORS (Cross-Origin Resource Sharing) is an essential aspect of modern web security, governing the way browsers allow or block requests to access resources located on a different domain from that of the current web page. In this article, we take an in-depth look at this concept and its implications for API calls.
What is CORS and why is it important?
When you visit a website, your web browser executes code from that site. The site in question has its own domain. If this code tries to load resources (such as images, scripts or data) from another domain, then a request to a server is necessary.
If the Front is not hosted on the same domain as the Back, then the browser makes what is known as a cross-origin request. When developing a website, this is a common structure.
So, without appropriate security mechanisms, a third party could access sensitive data or even misuse a service. CORS are designed to prevent this by allowing servers to explicitly define which domains are authorized to access their resources.
Client side:
On the client side, the first step is to understand the CORS policy implemented by the third-party API server. Developers need to ensure that their application sends the correct CORS headers with every outgoing request. Tools like Axios usually take care of adding these headers automatically.
Server side:
On the server side, API developers must configure their server to respond to CORS preflights (or prefligth requests) and include the appropriate headers in request responses.
A preflight request is generally recognized by its http method "OPTIONS". This request precedes the real request by asking the server about the methods authorized for the current domain. These methods can be customized in the server configuration.
Security and privacy implications:
Poor CORS management can lead to security vulnerabilities such as CSRF (Cross-Site Request Forgery) attacks and the leakage of sensitive data. It is therefore essential for developers to understand CORS mechanisms in depth, and implement them to guarantee the security and confidentiality of their applications' users.
Reverse Proxy servers, OR how to send a request from an authorized domain:
A reverse proxy is a server that redirects incoming requests to another url. This can be particularly useful for improving website performance by balancing the load on different servers (load balancer).
The other interesting point is the possibility of issuing the incoming request by changing its origin. The request will then be sent from the reverse proxy. If third-party APIs authorize the proxy domain, this can be a way of bypassing the CORS policy for the website, which is not authorized to access the third-party API's services.
The diagram above shows that the server receives the request from the website, retrieves the response from the api, and sends a response back to the website using the proxy server's validated origin.
Conclusion:
In conclusion, CORS play a crucial role in securing interactions between web applications and third-party APIs. A thorough understanding of their operation and implementation is essential to guarantee data security and confidentiality in the complex, interconnected landscape of the modern web.
Crédits : Nicolas Burat De Gurgy