I have a piece of javascript code that will be added to a existing webpage, which sends a request to a remote server end-point. Since this end-point is visible on the client-side code, it's basically public and can be exploited.I set up the CORS to only send response to the request coming from this specific domain.However, apparently this is not secure alone, as people can spoof the headers and get the response.As a solution to this, I though of creating another end-point to set a cookie if and only if this request is sent from this specific domain.So, my questions are1- Is it possible to set a cookie if the req is sent from a specific domain?2- I believe the first question is possible to implement, but likewise, people can fake the domain that the request is sent and get the cookies in return. However, can they make use of these cookies the way they can fake the headers to breach the CORS security?3- Is this a proper solution at all?4- If not, what measures can I take to make this public end-point safer?I have no access to the server of a that page where my code will be added. Otherwise I would send the request from server instead of exposing it in the client.
Submitted January 23, 2020 at 01:34PM by eligloys
No comments:
Post a Comment