Replies: 1 comment 2 replies
-
|
Please provide example app + CURL/WGET to test it out. NB: cors in only meant for browser. Any API request can and is allowed to bypassit by not providing relevant headers etc. you can start off from this snippet: package main
import (
"errors"
"github.com/labstack/echo/v4"
"github.com/labstack/echo/v4/middleware"
"log/slog"
"net/http"
)
func main() {
e := echo.New()
e.Use(middleware.Logger())
e.Use(middleware.CORSWithConfig(middleware.CORSConfig{
// your settings
}))
e.GET("/", func(c echo.Context) error {
return c.JSON(http.StatusOK, "ok")
})
if err := e.Start(":8082"); err != nil && !errors.Is(err, http.ErrServerClosed) {
slog.Error("server start ended with error", "err", err)
}
} |
Beta Was this translation helpful? Give feedback.
-
and the curl:
|
Beta Was this translation helpful? Give feedback.
-
|
Looking at the repo history and reading CORS spec. It seems that this behavior has been there for a long time. I can only say that CORS does not necessarily say that server must reject these requests as CORS is mean to be enforced on Web-browser side by the browsers. but it would make sense to reject these. I'll create PR #2732 for it. p.s. CORS is only security measure for clients (like browsers) that adhere to CORS rules. for anything else it is just a suggestion for behavior. |
Beta Was this translation helpful? Give feedback.
-
Even with the default configuration of the echo.CORS middleware, where only the allowed origin has been modified from the default wildcard ("*") to a specific domain, unauthorized cross-origin requests still propagate through the application stack, reaching the data layer. While egress filtering blocks the response, this occurs after data mutations have already been committed, representing an actual security concern.
Please tell if this is by design
Beta Was this translation helpful? Give feedback.
All reactions