Follow

Q&A: What is CORS? How Can Silverline Setup CORS policy?

 

Question

  • What is CORS?
    • https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
        • TL/DR; HTTP request from origin server sends a request to sub-domain for resources
          • HTTP request contains the "Origin" header with the origin server
          • HTTP response in return should at the very least send an "Access-Control-Allow-Origin" header with valid domain(s)
          • There are other headers that could be used to further strengthen the cross-origin sharing feature, please review the link above for further information
  • How Can Silverline Setup CORS Policy and add to the security?

Environment

  • Silverline WAF
  • WAF policy/WAF policies 
  • iRule

Answer

  • How Can Silverline Setup CORS Policy and add to the security?
    • To strengthen the cross-origin sharing feature, Silverline can prevent requests from origin sites that are not allowed/expected from your backend application/server
      • An iRule could be implemented to either
        1. Build a report on the sites being referenced to generate a list of 'Origins' sites in transparent mode

          We recommend setting up Log Export to export iRule logs

          How to Configure Log Export

           
        2. Or if you know the origin already, proceed to block 'Origins' sites that are not allowed
          • iRule example
          • when HTTP_REQUEST priority 350 {
                # check if origin header exists
                if { [HTTP::header exists "origin"] } {
            # check if this header value matches if { !([class match -- [string tolower [HTTP::header values "origin"]] equals [call ag_info0::datatable_name allow_origin_header]]) } {
            # If origin header doesn't match, log and block
            set agl [call ag_log0::open -rulename block_on_origin_header -rulever 1] call ag_log0::http_kvp $agl INFO action "Blocking request based on origin header" Origin_header [HTTP::header values "origin"]
            # The following lines can either be removed/commented out for Transparent mode
            HTTP::respond 403 content "<html><head><title>Error</title></head><body>The requested service cannot be accessed at this time</body></html>" noserver Connection close TCP::close } } }
        3. As with all iRules, ensure that there are no other iRules (*enabled on the same proxy) that uses the same priority as this can cause errors or unintended behaviors
  • In addition, with the cross-origin sharing feature, it is typical for the feature to use the OPTIONS method
    1. If a WAF policy is enabled on the proxy, please consider also requesting the SOC to allow the OPTIONS method
    2. As the Origin header is required for cross-origin requests, the Silverline WAF policy can set a mandatory requirement to ensure that all HTTP request contains an Origin header
      • Otherwise, a violation under the "Mandatory Header is missing" category would be raise to alert/block the request
    3. It may also be necessary for the WAF policy blocking response page to return an "Access-Control-Allow-Origin" header with a valid value so that the blocking page could be carried forth

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request