-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding CORS header 'Access-Control-Allow-Origin' with errors. #112
Comments
Thanks for the report @TafkaMax. We'll check this one soon. |
BTW, do you have an example that works? |
Ok, no worries, let me see what we can do. |
When sending the request that returns 403, it is intercepted by the modsec-crs-docker container. When sending a successful request, the header from the backend app is forwarded. As you can see, my previous attempts to modifying the functionality to add the header, do not work. (The code in the inital post) |
I started playing with this a bit. I don't think we can provide an answer for all cases, but this is what I'm trying:
So it will never add for errors 403.
We probably need to change the build step of the image to include the headers_more module on nginx and alpine. And also make those ☝️ configurable. |
Aha, thanks for the answer. I did not know the add headers were limited and not available to all responses without extra modifications. |
@TafkaMax Do you want to take a chance on this one? |
Currently not. |
Hi
I am using modsecurity-crs:nginx as a proxy for my backend, which is an API.
On a totally different machine, there is a frontend JS application. Modern JS needs to have a CORS header set.
The proxy and API work fine, when everything is OK, but when a rule triggers the CORS header is not added.
Example:
The API allows users to POST data - up to 25MB. Currently the application checks the file size and also the proxy checks it.
When the proxy intercepts a max_body_size (or similar variable) that is larger than allowed it sends a 403 request, that does not include the CORS header. On the other hand the application sets it, when it encounters that denial.
I guess the easy way is for the application to block it, but it's better if it is intercepted earlier?
EDIT:
Currently my default.conf.template that I map to the container contains the following (which does not work):
The text was updated successfully, but these errors were encountered: