Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to whitelist my local app? #306

Closed
cagross opened this issue Jan 9, 2021 · 4 comments
Closed

How to whitelist my local app? #306

cagross opened this issue Jan 9, 2021 · 4 comments
Labels
question

Comments

@cagross
Copy link

cagross commented Jan 9, 2021
edited

Hello. I have setup a clone of this app and deployed it to Heroku. Your instructions indicate that I should now whitelist only the app that needs to connect to my Heroku cors-anywhere app. As I understand, to do this, I need to set an environmental variable (aka a Heroku config var) with the key CORSANYWHERE_WHITELIST, and a value. But what value should I use, given these details

  • The app is my local app, on localhost:3000.
  • My computer's public IPv4 address is http://AAA.BBB.CCC.DDD.
  • My computer's public IPv6 address is 2001:0db8:0000:0000:0000:8a2e:0370:7334.

I tried http://AAA.BBB.CCC.DDD (with these variations: with/without the port number appended, http/https), but my local app could not access the Heroku app. It was rejected with a 403 Forbidden error, which I guess is expected if the local app is not properly whitelisted by the Heroku app.

If i use the value http://localhost:3000, my local app can then access the Heroku app. But doesn't that mean local apps on port 3000, on any computer, can access my Heroku app? If so, how do I restrict access to only the local app on my computer?

Thanks.
@Rob--W Rob--W added the question label Jan 9, 2021
@Rob--W
Copy link
Owner

Rob--W commented Jan 9, 2021

If i use the value http://localhost:3000, my local app can then access the Heroku app. But doesn't that mean local apps on port 3000, on any computer, can access my Heroku app?

Yes. CORS Anywhere is a proxy designed to allow web applications in web browsers to access resources from URLs that do not support CORS. Validation is solely based on request headers (Origin, which is automatically added by web browsers, or X-Requested-With, which can only be set by same-origin sources), NOT on source IPs. Anyone with non-browser access to the server can spoof the request headers. That's why the server should not be used to guard (sensitive/restricted) intranet resources.

If so, how do I restrict access to only the local app on my computer?

Generally not. But there may be alternatives. In order, from best to worst:

  • If you have control over the requested destination URLs, add CORS headers to their responses.
  • You could use a browser extension to add CORS headers to requests.
  • Your application being run on localhost could mean that you have control over available applications. You could start CORS Anywhere locally, with HOST=127.0.0.1 (so that the server only responds to local requests) and CORSANYWHERE_WHITELIST=http://localhost:3000 to restrict access.
  • You could add a non-existing host name (or a subdomain that is owned by you) that resolves to 127.0.0.1 to your host file, and access your app through that host file. Note: this DNS entry should not be public, or else others can visit the URL to access localhost (I doubt that someone is willing to go through the efforts of visiting your domain name just to use CORS Anywhere though). This is a bit of security by obscurity, and will only make it a bit harder (but not impossible for determined people) to use your instance of CORS Anywhere.

@cagross
Copy link
Author

cagross commented Jan 9, 2021

OK thanks for that. So it sounds like there is no way—or no easy way—to whitelist only my local app. Would you agree with that? I’m not upset or trying to call you out or anything—I just want to make sure I’m understanding the situation so I can take the next step. This is just a non-critical My First App side project of mine, so I’m mainly interested in learning best practice so I can apply it to future projects.

As far as your four suggestions:

  1. In my case, I unfortunately do not have access to the requested URL.
  2. I could indeed use a browser extension to accomplish what I want. I’ve used it before.
  3. I could try to use the local version of cors-anywhere I have installed.
  4. I didn’t quit understand this option. But let’s leave it as-is for now—I think I can get by without it for now.

Thanks.

@Rob--W
Copy link
Owner

Rob--W commented Jan 10, 2021

there is no way—or no easy way—to whitelist only my local app. Would you agree with that?

If you want to host the server on the public internet, then it is indeed not possible to whitelist only your "local app", because your local app is indistinguishable from other "local apps" on other computers, because all of these "local apps" have a common origin that's exposed through the Origin request header.

Given your constraints, option 2 sounds like the best option, followed by option 3.

@Rob--W Rob--W closed this as completed Jan 10, 2021
@cagross
Copy link
Author

cagross commented Jan 14, 2021

OK thanks for that explanation--it makes everything clear. I'll go with my browser extension then.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Rob--W @cagross