CORS security with mobile apps

api cordova mobile cors hybrid-mobile-app
Vincent Wasteels picture Vincent Wasteels · Feb 7, 2017 · Viewed 33.3k times · Source

We need to keep our API server security with CORS restriction : 

Access-Control-Allow-Origin : http://myonlinesite.com

But we also needs this API to be accessible for our mobile apps (Android+iOs).

All the solutions I found tell me to allow all origin : * , but this would be a big security failure for our API.

We are building our apps with Cordova, which WebView serves local files and therefore sends : origin: null , for all its http(s) requests. So we are thinking about adding null to the allowed origin. It's better, since it will block every other website attempting to fetch our API, but it will allow any mobile apps to fetch it...

Is there any more interesting solution for this ?

Thank you!

Answer

sideshowbarker picture sideshowbarker · Feb 7, 2017

So we are thinking about adding null to the allowed origin. It's better, since it will block every other website attempting to fetch our API, but it will allow any mobile apps to fetch it...

Well if you do that then you’re allowing requests from JavaScript code that runs from any non-http/https origin—that includes anybody running anything from a file:// or even data: URL.

So if you are using a restrictive CORS policy for “security” reasons then sending responses with an Access-Control-Allow-Origin: null header sounds like a pretty bad idea.

We need to keep our API server security with CORS restriction : All the solutions I found tell me to allow all origin : *, but this would be a big security failure for our API.

You don’t explain why you’ve determined it would be a security failure or why you need to have a restrictive CORS policy at all. But unless (1) your Web server is running in an intranet or behind some other kind of firewall, and (2) access to the resources is otherwise restricted only by IP auth, then you don’t gain anything from using a restrictive CORS policy. To quote the spec:

Basic safe CORS protocol setup

For resources where data is protected through IP authentication or a firewall (unfortunately relatively common still), using the CORS protocol is unsafe. (This is the reason why the CORS protocol had to be invented.)

However, otherwise using the following header is safe:

Access-Control-Allow-Origin: *

Even if a resource exposes additional information based on cookie or HTTP authentication, using the above header will not reveal it. It will share the resource with APIs such as XMLHttpRequest, much like it is already shared with curl and wget.

Thus in other words, if a resource cannot be accessed from a random device connected to the web using curl and wget the aforementioned header is not to be included. If it can be accessed however, it is perfectly fine to do so.

Related questions

In need of an open source text language translation api

I have read other posts related to this but I haven't got anything concrete. I am developing an android app using phonegap which needs some sort of text translation. So I searched google translate api but they are charging price …

Read More
No 'Access-Control-Allow-Origin' header is present on the requested resource—when trying to get data from a REST API

I'm trying to fetch some data from the REST API of HP Alm. It works pretty well with a small curl script - I get my data. Now doing that with JavaScript, fetch and ES6 (more or less) seems to …

Read More
How do I make calls to a REST API using C#?

This is the code I have so far: using System; using System.Collections.Generic; using System.Linq; using System.Text; using System; using System.Net.Http; using System.Web; using System.Net; using System.IO; namespace ConsoleProgram { public class Class1 { …

Read More