origins.md 1.3 KB

[origins] Problems with referrer/origin validation

It's not unusual to use regex for Referer or Origin headers validation. Often it is needed for setting the X-Frame-Options header (ClickJacking protection) or Cross-Origin Resource Sharing.

The most common errors with this configuration are:

  • regex errors;
  • allow 3rd-party origins.

Notice: by default Gixy doesn't check regexes for 3rd-party origins matching. You can pass a list of trusted domains by using the option --origins-domains example.com,foo.bar

How can I find it?

"Eazy"-breezy:

  • you have to find all the if directives that are in charge of $http_origin or $http_referer check;
  • make sure your regexes are a-ok.

Misconfiguration example:

if ($http_origin ~* ((^https://www\.yandex\.ru)|(^https://ya\.ru)/)) {
	add_header 'Access-Control-Allow-Origin' "$http_origin";
	add_header 'Access-Control-Allow-Credentials' 'true';
}

TODO(buglloc): cover typical regex-writing problems TODO(buglloc): Regex Ninja?

What can I do?

  • fix your regex or toss it away :)
  • if you use regex validation for Referer request header, then, possibly (not 100%), you could use ngx_http_referer_module;
  • sometimes is much better to use map directive without any regex at all.