AWS Cognito and CORS Security Concern

六月ゝ 毕业季﹏ 提交于 2020-02-03 02:11:34

问题


I have a web client making requests to AWS Lambda via the AWS API Gateway. I'm using AWS Cognito, alongside Auth0, to authenticate users.

My question is related to the CORS response headers from the AWS API Gateway endpoint, specifically the Access-Control-Allow-Origin response header that is set to any "' * '". This article indicates the risks of using the any "' * '" parameter, namely that a 'hacker can coopt our site to request any method' on our back-end: (CORS Security link).

While Cognito's authentication may prove that the end user making the request is who he says he is, Cognito's authentication does not necessarily prove that the website that is making the request on behalf of the user is mywebsite.com rather than attacker.com.

Does Cognito guarantee that the request is coming from mywebsite.com?

Is there a secure way to implement the any "' * '" Access-Control-Allow-Origin response header?


回答1:


Does Cognito guarantee that the request is coming from mywebsite.com?

No. Cognito is agnostic of your domain. All it cares about is user authentication/management.

Is there a secure way to implement the any "' * '" Access-Control-Allow-Origin response header?

Well yes and no. As you said in your post, Cognito will authenticate the user So that means with Access-Control-Allow-Origin '*' set, any domain is allowed to make a Cross Origin request, but if they can't provide a valid authentication token, then they get get a 401 error back.

If you want to limit what domain can has access, then you can't use ''. '' is a wildcard and hence allows any value. So if you'd instead like to only have mywebsite.com be able to make a CORS request, then replace the '*' with 'mywebsite.com'. This makes it so only requests from that domain are allowed. Requests from attacker.com will now fail because they won't have the proper headers.



来源:https://stackoverflow.com/questions/48140465/aws-cognito-and-cors-security-concern

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!