0

I'm trying to setup an nginx reverse proxy to a web product I can't modify (it's an appliance).

Client --> https://myapp.com --> nginx --> https://10.1.5.9

I managed to do so, but it required stripping the "Origin" and "Referer" headers from the client request because the webserver won't accept authentications if those headers aren't https://10.1.5.9 (and the client browser automatically sets them to https://myapp.com).

I don't fully understand CORS and the "Origin" header. Is it a bad idea to strip this header from client requests? Could it expose my app to security vulnerabilities?

schroeder
  • 123,438
  • 55
  • 284
  • 319
AoA
  • 1
  • Do I understand it correctly that the app complains if these headers are something else `https://10.1.5.9` but it is fine with these headers completely stripped? – Steffen Ullrich Mar 29 '21 at 14:52
  • @SteffenUllrich this is correct. The authentication page (POST with basic auth headers) returns 401 when the Origin and Referer headers are set to something else than the IP of the host. It works when I strip those completely with `proxy_set_header Origin "";`and `proxy_set_header Referer "";` – AoA Mar 29 '21 at 15:26
  • 2
    This looks like a failed attempt to prevent cross-site requests by checking Origin/Referer then. If this is the only cross-site request protection than the application might be insecure already. It might be better that you check inside nginx that either Origin or Referer are set (i.e. at least one non-empty) and have the expected value of `https://myapp.com/...` and deny every other requests before you strip the header. – Steffen Ullrich Mar 29 '21 at 16:17

0 Answers0