Question
- What is CORS?
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
-
- TL/DR; HTTP request from origin server sends a request to sub-domain for resources
- HTTP request contains the "Origin" header with the origin server
- HTTP response in return should at the very least send an "Access-Control-Allow-Origin" header with valid domain(s)
- There are other headers that could be used to further strengthen the cross-origin sharing feature, please review the link above for further information
- TL/DR; HTTP request from origin server sends a request to sub-domain for resources
-
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
- How Can Silverline Setup CORS Policy and add to the security?
Environment
- Silverline WAF
- WAF policy/WAF policies
- iRule
Answer
- How Can Silverline Setup CORS Policy and add to the security?
- To strengthen the cross-origin sharing feature, Silverline can prevent requests from origin sites that are not allowed/expected from your backend application/server
- An iRule could be implemented to either
- Build a report on the sites being referenced to generate a list of 'Origins' sites in transparent mode
We recommend setting up Log Export to export iRule logs
- Or if you know the origin already, proceed to block 'Origins' sites that are not allowed
- iRule example
-
when HTTP_REQUEST priority 350 { # check if origin header exists if { [HTTP::header exists "origin"] } {
# check if this header value matches if { !([class match -- [string tolower [HTTP::header values "origin"]] equals [call ag_info0::datatable_name allow_origin_header]]) } {
# If origin header doesn't match, log and block set agl [call ag_log0::open -rulename block_on_origin_header -rulever 1] call ag_log0::http_kvp $agl INFO action "Blocking request based on origin header" Origin_header [HTTP::header values "origin"]
# The following lines can either be removed/commented out for Transparent mode
HTTP::respond 403 content "<html><head><title>Error</title></head><body>The requested service cannot be accessed at this time</body></html>" noserver Connection close TCP::close } } }
-
As with all iRules, ensure that there are no other iRules (*enabled on the same proxy) that uses the same priority as this can cause errors or unintended behaviors
- Build a report on the sites being referenced to generate a list of 'Origins' sites in transparent mode
- An iRule could be implemented to either
- To strengthen the cross-origin sharing feature, Silverline can prevent requests from origin sites that are not allowed/expected from your backend application/server
- In addition, with the cross-origin sharing feature, it is typical for the feature to use the OPTIONS method
- If a WAF policy is enabled on the proxy, please consider also requesting the SOC to allow the OPTIONS method
- As the Origin header is required for cross-origin requests, the Silverline WAF policy can set a mandatory requirement to ensure that all HTTP request contains an Origin header
- Otherwise, a violation under the "Mandatory Header is missing" category would be raise to alert/block the request
- Other header enforcement can also be configured
- Configuring HTTP Headers
- Otherwise, a violation under the "Mandatory Header is missing" category would be raise to alert/block the request
- It may also be necessary for the WAF policy blocking response page to return an "Access-Control-Allow-Origin" header with a valid value so that the blocking page could be carried forth