Web Security-HTTP headers · April 14, 2020


Any one with a little experience in web development or web security have heard of CORS (Cross Origin Resource Sharing). This is the most fundamental security header setup these days and is intended to restrict/allow resource sharing across different domains.

A web page includes of various resources like javascript, stylesheets images and so on. These resources are loaded with the help of defined URI path, which could belong to your domain or different domain’s, if we are using a resource from another domain. This feature has both pros and cons to it. Advantage is that web developer do not need to include the resources to their site repeatedly for every page and a more complicated example will be it also helps with configuring CDN etc. Downside is anyone can include and attach the resource in your website to their website, hence using the image/diagram etc without your permission.

The browsers by default block the CORS access to other sites. To enable access to required sites, CORS must be configured for some HTTP headers. It helps to configure it properly so that website do not break or partially load.

NOTE: This security measure is applicable for both normal web browsing as well as API based HTTP requests. In this article we will discuss only the basics of this mechanism and its directives. For how it actually works, I will create a new article.

Header list and their configurations:

HTTP response headers: These configurations will be done on the web server where resources are residing

Access-Control-Allow-Origin: This takes origin list as input from which access to resources is allowed.

Access-Control-Expose-Headers: This header allows browsers access to listed headers.

Access-Control-Max-Age: Cache timeout on resource webserver

Access-Control-Allow-Credentials: This header will tell if the resource are to be accessible when credentials flag is set. This is helpful when we want to make resources in-accessible without user authenticity.

Access-Control-Allow-Methods: Which HTTP request method can be used while asking for the resource

Access-Control-Allow-Headers: Which HTTP request headers can be used while asking for the resource

HTTP request headers: These configurations will be done on the web server from where resources are being requested

Origin: name of the requester, this is included in Access-Control-Allow-Origin of the resource side

Access-Control-Request-Method: Which HTTP method will be used to request the resource. Goes hand-in-hand with Access-Control-Allow-Methods on resource webserver.

Access-Control-Request-headers: Which header will be used to request the resource. Goes hand-in-hand with Access-Control-Allow-Headers on resource webserver.