HAProxy: Setting Up CORS
Assalamualaikum,
It’s been awhile since my last post – quite tight up with business and development – and here we are, just sharing a new thing I learnt – HAProxy.
Currently I have a mobile application need to consume my API (Laravel based) – and I have no problem setting up CORS from Laravel.
But working on a bit scale up infrastructure, and in HA architecture, need to setup CORS on load balancer, which is HAProxy.
Following are the minimal setup to make API working with HAProxy.
To be honest, I’m not sure if this really does what it is supposed to do. It obviously is syntactically correct, but basically you allow the client to set the “Origin” to whatever value, and accept it without any checks. What should that be good for? You could just set Access-“Control-Allow-Origin” to “*” and had the same effect, just much simpler. The “Allow” headers are not required at all, since they just allow everything. They only make sense if you want to limit what is allowed.
To really have an effect, you would need to verify that the content of “Origin” is something that your indeed want to accept, not just that it’s there. Or am I missing something?
if you’re consume from mobile apps, you will absolutely to allow from all origin.
p/s: correct me if i’m wrong.
The HTTP request could be lying about its origin so it is not really a security mechanism. It is useful for cutting down on some bandwidth from obviously third party URL’s.
As for allowing everything that may be necessary for the authors purposes?
As for now, I just need to allow everything. It’s a good idea to filter the party URL’s. Will look into it.