I finished my Angular project.
In my project I send POST requests with data to PHP files, and then get result from them back to Angular.
Now I want to allow requests only from the origin domain, and deny any request from any othe domain.
I try to use:
header("Access-Control-Allow-Origin: example.com");
but it does not work. And I don't want to use $_SERVER['HTTP_REFFER'] because it can manipulated.
I also tried to use .HTACCESS but I don't know how to implement that. I tried something like that:
order deny, allow
deny from all
allow from mydomain.com
but it does not work.
My project already has the following .HTACCESS file:
RewriteEngine On
# If an existing asset or directory is requested go to it as it is
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -f [OR]
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -d
RewriteRule ^ - [L]
# If the requested resource doesn't exist, use index.html
RewriteRule ^ /index.html
taken from here: https://angular.io/guide/deployment#routed-apps-must-fallback-to-indexhtml
What can I do?
Thanks.
Short answer :
header("Access-Control-Allow-Origin: *");
Is the minimum that should work (on your server side), but you may need to add two additional headers like:
header("Access-Control-Allow-Methods: POST, GET, OPTIONS");
header("Access-Control-Allow-Headers: Content-Type");
Like any header() call, be sure to perform those BEFORE any output.
Long answer:
CORS allow, with a relative security, to perform cross origin queries, depending on a pre-flight request OPTIONS to check what's allowed and what's not.
Access-Control-Allow-Origin sets which origins (domains) are allowed. You may want to use only your trusted domains.
Access-Control-Allow-Methods sets which methods are allowed. Usually, a lot of those.
Access-Control-Allow-Headers sets which optional (and customized) headers are allowed. Usually, you want to include any non-standard headers on top of Content-type.
CORS is incredibly well documented here : https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
Related
I am trying to send some requests from my angular app to my local xampp server, but the requests are blocked due to CORS Policy.
I have already added following line to the httpd.conf file:
Header set Access-Control-Allow-Origin *
I have also added an .htaccess file to my htdocs folder with following content:
Header set Access-Control-Allow-Origin *
I have also added this to my php file:header("Access-Control-Allow-Origin: *"); but this had no impact as well.
My angular app runs on localhost:4200 and the xampp runs on localhost:80
I know allowing every origin is a great security issue, but it is only for testing purpose.
I think you need a few more headers from your server side, namely Access-Control-Allow-Methods and Access-Control-Allow-Headers.
header("Access-Control-Allow-Origin: http://localhost:4200");
header("Access-Control-Allow-Methods: GET,POST,PUT,OPTIONS");
header("Access-Control-Allow-Headers:*");
Try modifying your http.conf like this
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]
Here is my code for .htaccess and the photo doesn't get the post.php? url params. I expected that when they visit the parameter-less site, mysite.com/gallery/photo/ to be redirected to mysite.com/gallery.
These are all tested with https://
RewriteEngine on
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET,PUT,POST,DELETE"
Header set Access-Control-Allow-Headers "Content-Type, Authorization"
RewriteRule ^photo$ https://www.example.com/gallery/ [R=301,L]
AND trying this
RewriteRule ^photo$ https://www.example.com/gallery/ [NC,L]
I then try to shorten the testing to just the /gallery/photo/
It could take me 10 hours or trying every combination of .htaccess but I rather just know why my server will crash based on a quasi subset of parameters at the top. Is this because of a PHP or apache issue? Do people know how I can use a standardized set to redirect the user, and then finally use this subset?
I initially started using htaccess from a udemy course FYI
The resulting user should be
RewriteRule ^photo/([-\w]+)/([-\w]+)$ https://www.example.com/gallery/post.php?id=$1&url=$2 [R=301,L]
I have a sever with Linux and Apache latest version. I noticed that if I send a POST with data to any address on the site this is accepted even if there is not a specific PHP script that can handle it. I think it's normal. But how can I prevent this? I know that some sites (Ebay) complete the post before returning an error (imagine if the post includes a large file, server bandwidth consumption is guaranteed).
How can you prevent a POST from running upstream of a php script or any other script? Do you have to work on the Apache server or in the .htaccess?
You would have to block the request before it reaches PHP. I'm not sure about the header() method, but restricting access from .htaccess seems a safer option.
RewriteCond %{REQUEST_METHOD} POST
RewriteRule .* – [F,L]
I'm not sure but I think your should set your response headers to tell your browser what your end point accepts...
header('Access-Control-Allow-Methods', 'GET, PUT, DELETE, PATCH, OPTIONS'); // just exclude the POST method
I'm just spit balling, I had gotten this from the CORS specifications.If it doesn't work then it's probably because this header has to be in response to an OPTIONS request instead.
If this does work, please tell me.
It's the very famous browser error. I know it has been discussed a lot but I've noticed is a very generic error so I want to present my problem.
I am making simple requests (get,post) on a server where I have access. My browsers (chrome, firefox) give me Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at url (Reason: CORS header 'Access-Control-Allow-Origin' does not match 'null'). error.
When I use some of (hacking)plugins I get the responses fine.
What I've tried is to add on my back-end (on server):
header('Access-Control-Allow-Origin: *');
in index.php file with no luck. Any other ideas ?
Try adding
header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Methods: PUT, GET, POST");
header("Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept");
I have solved this issue.
In your config.php add www pre in your domain.com
exa.
// HTTP
define('HTTP_SERVER', 'http://domain name with www/');
// HTTPS
define('HTTPS_SERVER', 'http://domain name with www/');
Add you htaccess file
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]
There are several ways to do this. One way is the javascript way, which requires a callback and one example can be found here: Loading cross domain html page with AJAX
Another way is to utilize PHP's curl functionality. Of course there are many ways to do this, but one method that works well for me is to:
Create a standalone php page (can call it "fetch.php" if you
like) that has 1 job. That job is to make a curl request to a given
URL (your cross-domain url in this case) and echo the data that it
gets from the remote site.
Change the AJAX URL from the cross-domain
URL to the name of file created in previous step.
AJAX then knows
it's making an HTTP request to a location inside its current domain even though it's getting its data from a cross-domain location.
Hope this helps,
Adam
You can whitelist the blocked URL like:
script-src 'unsafe-inline' https: 'nonce-abcdefg' 'strict-dynamic'
I tried adding a chrome plugin "Allow-Control-Allow-Origin" after several tries with server side changes. Everything worked fine.
Sometimes when I submit ajax requests I get this error
XMLHttpRequest cannot load http://www.mysite.com/go/submit. Origin http://mysite.com is not allowed by Access-Control-Allow-Origin.
Here are solutions I thought about:
* Add the allow origin rule everywhere?
* Write .htaccess to always redirect to full url
* Use this method http://james.padolsey.com/javascript/cross-domain-requests-with-jquery/
How should I fix this problem?
The same origin policy means you cannot analyze data (json, html, image, etc.) that are coming from another "origin" (domain, port) than yours.
Note that
The term "origin" is defined using the domain name, application layer
protocol, and (in most browsers) port number of the HTML document
running the script
A solution is to set, on the server serving the other data, CORS headers explicitly allowing the access :
Access-Control-Allow-Origin: *
So you must have control of the server serving the data you embed as soon as you're not just displaying them.
A somewhat indirect solution is to let the browser think there is only one origin, by putting on your server a proxy. On apache you don't need .htaccess but mod_proxy. If you want to install such a proxy, you may be interested by this SO question (in fact you'd probably be more interested by the answer which helped me set such a proxy on one of my servers).
If your only problem is people typing mysite.com instead of www.mysite.com and you have only one server, you may simply use .htaccess to rewrite the URL :
RewriteEngine On
RewriteCond %{HTTP_HOST} ^mysite\.com$ [NC]
RewriteRule ^(.*)$ http://www.mysite.com/$1 [L,R=301]