SecurityZines #Day6: Let's Learn with SecurityZines

Learn about CORS

Hey Awesome Folks,
Today we will learn about CORS or Cross-Origin Resource Sharing !!!!

It is a mechanism used by web browsers to enforce security policies regarding cross-origin requests. When a web page makes a request to a different domain, protocol, or port than the one it originated from, it is considered a cross-origin request. CORS defines a set of HTTP headers that allow servers to specify which origins are allowed to access their resources.

Prior to CORS, web browsers enforced a security policy called the Same-Origin Policy (SOP), which restricted cross-origin requests for security reasons. SOP prevented web pages from making requests to a different domain, which could potentially be used for malicious purposes. However, this restriction also limited legitimate scenarios where cross-origin communication was required, such as accessing data from an API hosted on a different domain.

CORS introduces a mechanism for servers to relax the SOP and specify which origins are allowed to access their resources. The server can include specific CORS headers in its response to indicate which origins are allowed, what methods are permitted, and which headers can be exposed to the client. These headers include:

1. Access-Control-Allow-Origin: Specifies the origins that are allowed to access the resource. It can be set to a specific origin or to the wildcard "*" to allow any origin.

2. Access-Control-Allow-Methods: Indicates the HTTP methods (e.g., GET, POST, PUT, DELETE) that are allowed when accessing the resource.

3. Access-Control-Allow-Headers: Lists the custom headers that are allowed in the actual request.

4. Access-Control-Expose-Headers: Specifies the headers that the client can access in the response.

5. Access-Control-Allow-Credentials: Indicates whether the request can include credentials, such as cookies or authorization headers.

To protect user privacy and security, CORS requests are subject to certain restrictions. Browsers enforce these restrictions by making pre-flight requests (using the HTTP OPTIONS method) to the server, which checks if the actual request is allowed. This pre-flight request includes the Access-Control-Request-Method and Access-Control-Request-Headers headers to inform the server about the intended method and headers of the actual request.

CORS is an essential security mechanism that allows web applications to interact with resources hosted on different domains. By controlling access to resources, servers can protect sensitive information and prevent unauthorized cross-origin requests.