I have a React based application which uses RESTful services on backend distributed on private network. To communicate with such services using AJAX, client application sends all its request through proxy gateway. Something like this:
My applications sends preflight requests (OPTIONS) to check CORS settings.
When accessing protected resources request first goes through authentication middleware which basically checks header x-access-token and validates it. Returns 401 if token is invalid or missing. The problem is that I can't set custom headers in preflight request and my authentication middleware blocks it.
Only solution I could find on internet for it is to check if request is OPTIONS and if it is, ignore authentication middleware and just pass request through. (for both Java/Spring or Node/Express)
Now, passing all OPTIONS request through smells unsecure to me. What should I be aware of? How can I validate if OPTION request is one created by browser? What security risks exist within this approach?
