how can I change nginx conf to :
1.restrict the user from sending anything in the body param in curl and respond with an appropriate error
2.restrict the user from sending content-type in the request header in curl and respond with an appropriate error
Related
I'm working on building a web application that communicates with a Laravell API through an Nginx server. I tried following the directions on the Nginx website for wide open cors, but it doesn't like the wild card response when sending credentials.
Access to fetch at 'https://api.***.com/' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '' when the request's credentials mode is 'include'.
The API server requires a Bearer access token to authenticate, and each endpoint is at its own path on the server. What is the correct way to configure Nginx in this scenario?
The error message is right, you can't use a wildcard origin and credentials:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
For requests without credentials, the literal value "*" can be specified, as a wildcard; the value tells browsers to allow requesting code from any origin to access the resource. Attempting to use the wildcard with credentials will result in an error.
Instead, just pass back the actual origin, the one that arrived in the Origin HTTP header, then it will always match:
add_header Access-Control-Allow-Origin $http_origin always;
I am trying to use PAW to query an IP Whitelisted HTTP service endpoint. I have a proxy (quotaguard) that I've whitelisted. Now I would like to use this proxy server in PAW but it doesn't work. I have set the Proxy Settings in PAW's configuration dialog to this URL (which I got from quotaguard and which works with curl and export HTTP_PROXY):
http://:#static.quotaguard.com
Now when I activate this custom proxy in PAW, all my requests fail with a "PAW can't find this server" error.
What am I doing wrong?
Set a Proxy-Authorization header with value of:
Basic xxxx -> where xxxx is a base64 encoded string of username:password from quotaguard
The url is just the url portion minus the username and password.
Example: static.quotaguard.com:8000
I'm using VueJS with vue-request for http requests. I'm trying to subscribe an user to a Mailchimp list but Mailchimp uses BasicAuth, so I'm doing as such:
scope.$http.post('https://us15.api.mailchimp.com/3.0/lists/listid/members',
{...mydata...}, {headers: {Authorization: 'Basic myencodedAPIkey'}})
But I get an error from the API: 401 Unauthorized - Your request did not include an API key.
So I check the Network log on Chrome and the Authorization is on my headers like this: **Access-Control-Request-Headers: authorization** but it should be like **Authorization: myencodedAPIkey**
On the Console the error appears as:
XMLHttpRequest cannot load
https://us15.api.mailchimp.com/3.0/lists/listid/members. Response
to preflight request doesn't pass access control check: No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://127.0.0.1:8000' is therefore not allowed
access. The response had HTTP status code 401.
When I use Postman it works just fine as the header is correctly sent.
This problem seems to have been solved here with setting the header on every request
https://laracasts.com/discuss/channels/vue/how-to-solve-the-allow-control-allow-cross-in-the-vuejs-header-request-setting?page=2
and here through setting it once
Vue-Request not sending Authorization Header
You are getting CORS error, when you are trying to request from one host to another, and the 'another' part does not allow it to happen. To prevent this error you can use webpack proxy configuration, so this way you do not have cross origin request, but I don't know how you will deal with this in production environment if your api does not allow cross origin requests.
In a project I'm working on, our devServer configuration is as follow
proxy: {
'/api': {
target: 'http://localhost:8080/'
}
},
with this, any request happening on /api/any/url will be redirect to localhost:8080/api/any/url
I use the next link in order to send chunking files with plupload.
I change the url parameter in order to send the request to my localhost:
url: "./upload.cfm", was changes to url: "localhost/upload"
As I see, the request is sent, but with request methods: OPTIONS.
Why it happens and how I can change it to POST?
Since you are now making a cross-origin HTTP request, you are triggering a preflight request in which the browser asks the destination server if your website is allowed to ask browsers to make POST requests to the destination server.
Either configure the destination server to respond to the OPTIONS request with a response granting permissions (after getting that response the browser will make the POST request), or continue to make requests with XHR only to the same origin.
We have a service that redirects the user to an object in an S3 bucket. The authentication for that request is stored in the query portion of the URL.
I understand that the spec doesn't specify what is to be done with request headers in the case of a redirect, but implementations I've seen will strip the Authorization header when HTTP Basic is used.
What's interesting is that when we call our service through HTTP Basic authentication, it works fine. The client strips the Authorization header from the request and the file is delivered from S3.
But when we call our service using OAuth bearer tokens the Authorization header is left in for the redirect, causing S3 to return a 400 error response.
Is there a way for the server's redirect response to instruct the client to strip the Authorization header before accessing the response's Location header?