Addressing CORS Vulnerability for OnTrack Application (Documentation)

[epineto]

Title: "Remediation: Addressing CORS Vulnerability for OnTrack Application"

---

Summary:
This PR addresses a Cross-Origin Resource Sharing (CORS) vulnerability in the OnTrack application caused by the use of the Access-Control-Allow-Origin: * header. The current configuration poses significant security risks by allowing unrestricted cross-origin access.

---

Impacts:

• Unauthorized Access:
  Any website can interact with the API, potentially leading to data leakage or abuse.
• Increased Attack Surface:
  Vulnerable to cross-origin attacks and other malicious activities.
• Compliance Risks:
  Violates security and privacy standards.

---

Remediation:

• Preferred Option: Restrict Access-Control-Allow-Origin:
  • Implement a restrictive CORS policy using the DF_ALLOWED_ORIGINS environment variable for flexibility.
  • Update backend configurations in:
    • Docker: /doubtfire-api/docker-compose.yml
    • Rails: /doubtfire-api/config/application.rb

Configuration Updates:

1. Docker:

   • Add the following environment variable:

     DF_ALLOWED_ORIGINS: "http://localhost:4200,https://example.com"

   • Notes:
     • The DF_ALLOWED_ORIGINS variable must reflect the exact URLs where the OnTrack app will be accessed (e.g., production, staging, or development environments).
     • Failure to update this variable correctly will result in inaccessibility for valid clients.

2. Rails:

   • Add middleware configuration in application.rb:

     config.middleware.insert_before Warden::Manager, Rack::Cors do
       allow do
         origins ENV['DF_ALLOWED_ORIGINS'].split(',')
         resource '*', headers: :any, methods: %i[get post put delete options]
       end
     end

---

Testing Plan:

1. Functional Testing:
   • Validate that access is successful for allowed origins (e.g., http://localhost:4200).
   • Confirm that access is blocked for unauthorized domains.
2. Security Testing:
   • Use Postman to simulate requests with custom Origin headers.
3. Regression Testing:
   • Verify that all endpoints remain functional after the changes.

---

Postman Validation Steps:

1. Create a new request in Postman.
2. Set the method (e.g., GET, POST) and endpoint.
3. Add a header:
   • Key: Origin
   • Value: http://localhost:4200
4. Observe the response to confirm behavior for allowed and unauthorized domains.
5. Save and exit the file.

---

Expected Outcome:

• The application restricts cross-origin access to only the specified origins in DF_ALLOWED_ORIGINS.
• Compliance with security and privacy standards is improved, reducing the risk of unauthorized access and cross-origin attacks.

---

Reviewer Notes:

• Ensure that the changes in Docker and Rails configurations align with the production, staging, and development requirements.
• Verify that the DF_ALLOWED_ORIGINS environment variable is updated appropriately in all environments before deployment.
• Validate the behavior in local and staging environments before pushing to production.

[netlify]

✅ Deploy Preview for ontrackdocumentation ready!

Name	Link
🔨 Latest commit	d1d2758
🔍 Latest deploy log	https://app.netlify.com/sites/ontrackdocumentation/deploys/6757b05bcb65480008116ccc
😎 Deploy Preview	https://deploy-preview-23--ontrackdocumentation.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[washyking]

This is a good PR it addresses the CORS security risk. I tested below using postman and it was successfully blocked. . See below

Sent from correct orign

Sent from bad origin

Good work.

[epineto]

@washyking , could you please review this PR? Thanks a lot!

[nodogx]

This pull request documentation addresses the CORS vulnerability. This is done by implementing a flexible and restrictive CORS using the DF_ALLOWED_ORIGINS env variable which makes sure security while managing the configurability. I have also tried the CORS to ensure if this works, which does

The code logic looks really good. I have tried to get the CORS headers as well for an unauthorised website, which it doesn't give. Which shows it works as intended :)

Unauthorised Website

Authorised Website

Headers: