Security

Attempts should be made to protect some websites from Cross-Site Request Forgery (CSRF / XSRF) attacks (a.k.a one-click attacks/session riding), in which hackers execute unauthorized commands on a browser when the user has currently been authenticated.

In an HTTP response, the Access-Control-Allow-Origin header can be set to * to tell the browser a resource can be shared across domains. The specific implementation depends on the type of server platform used. For instance, on an Apache server, to permit images to be shared across sites, the .htaccess file can be edited:

<IfModule mod_setenvif.c>
   <IfModule mod_headers.c>
      <FilesMatch "\.(bmp|cur|gif|ico|jpe?g|png|svgz?|webp)$">
         SetEnvIf Origin ":" IS_CORS Header set Access-Control-Allow-Origin "*" env=IS_CORS
       </FilesMatch>
   </IfModule>
</IfModule>

To enable access to multiple origins (scheme://domain:port):

<IfModule mod_headers.c>
    SetEnvIf Origin "http(s)?://(www\.)?(domain1.org|domain2.com|domain3.net)$" AccessControlAllowOrigin=$0
    Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin} env=AccessControlAllowOrigin
    Header set Access-Control-Allow-Credentials true 
</IfModule>

In a PHP script, one can do this to allow cross-site access:

header("Access-Control-Allow-Origin: http://www.website.com");

Don't always rely only on the Origin header. The browser always sends this header in CORS requests but maybe spoofed outside the browser. Application-level protocols should be used to protect sensitive data.

<output>	<<<	HOME PAGE	>>>	…...crossorigin (CORS)
last update: 16 Jun 2024

MENU

Security