I am a Developer Advocate for Security in Mobile Apps and APIs at approov.io.
Another passion is the Elixir programming language that was designed to be concurrent, distributed and fault tolerant.
Location
Scotland
Education
Self teached Developer
Work
Developer Advocate for Mobile and API Security at approov.io
In my case, I forked the repo and added a configuration option that allows you to spoof the Origin header, which defaults to true. You can check it out here. I also hosted this on Heroku as cors-escape.herokuapp.com (nothing to see there ๐).
So basically you cannot spoof it directly with JavaScript in the browser, but you can do it in a programmatically way.
Regarding Postman I am not aware if it allows or not to fake the origin header.
The lesson to take from here is that the CORS is a good protection on the browser side but not that hard to bypass.
The WHO vs WHAT Is Accessing the API Server
A usual misconception among developers it's WHO vs WHAT is accessing the API server.
For a better understanding off the difference between WHO vs WHAT is accessing your API server, I recommend you to read this section of my article, but I will extract here some lines of it:
The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.
The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?
Without going into more detail, I want to say that any API server will have a hard time to figure out the WHAT bit, that will misuse and abuse of WHO the API server thinks is talking with.
I know we can bypass CORS from tools like postman since it is browser based protection only so I wanted to say to add authentication since cors will be bypassed from other means of making calls. Maybe my framing of sentence made you think I was saying cors canโt be bypassed
I am a Developer Advocate for Security in Mobile Apps and APIs at approov.io.
Another passion is the Elixir programming language that was designed to be concurrent, distributed and fault tolerant.
Location
Scotland
Education
Self teached Developer
Work
Developer Advocate for Mobile and API Security at approov.io
Unfortunately they can be bypassed:
medium.com/netscape/hacking-it-out...
So basically you cannot spoof it directly with JavaScript in the browser, but you can do it in a programmatically way.
Regarding Postman I am not aware if it allows or not to fake the origin header.
The lesson to take from here is that the CORS is a good protection on the browser side but not that hard to bypass.
The WHO vs WHAT Is Accessing the API Server
A usual misconception among developers it's WHO vs WHAT is accessing the API server.
For a better understanding off the difference between WHO vs WHAT is accessing your API server, I recommend you to read this section of my article, but I will extract here some lines of it:
Without going into more detail, I want to say that any API server will have a hard time to figure out the WHAT bit, that will misuse and abuse of WHO the API server thinks is talking with.
I know we can bypass CORS from tools like postman since it is browser based protection only so I wanted to say to add authentication since cors will be bypassed from other means of making calls. Maybe my framing of sentence made you think I was saying cors canโt be bypassed
Yes, it made me thought that you believed that CORS was enough to protect the API.