The latest articles on DEV Community by Miguel (@miguelmota). https://dev.to/miguelmota https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F73783%2Fccadb98b-f9bc-4696-b981-5269f48aa9c9.jpg https://dev.to/miguelmota en Miguel Sun, 05 Apr 2020 20:07:41 +0000 https://dev.to/miguelmota/getting-started-with-wireguard-n9e https://dev.to/miguelmota/getting-started-with-wireguard-n9e <p><a href="https://www.wireguard.com/" rel="noopener noreferrer">WireGuard</a> is a relatively new VPN tunnel protocol that aims to be very fast and easy to setup. It follows the <a href="https://homepage.cs.uri.edu/~thenry/resources/unix_art/ch01s06.html" rel="noopener noreferrer">Unix Philosophy</a> closely in that it only <em>does one thing</em> (creating secured VPN tunnels) and <em>does it well</em>.</p> <p>If you've ever set up an VPN service such as <a href="https://github.com/OpenVPN/openvpn" rel="noopener noreferrer">OpenVPN</a> before then you know that it can get complicated because of all the steps you have to go through such as generating certificate authorities, issuing server and client keys and certificates, setting up multiple configuration files, configuring firewall rules, setting up route traffic forwarding, etc. which can either be dreadful or daunting. WireGuard is changing all that by simplifying the process of getting up and running in no time and allowing for easy configuration to connect multiple clients (peers).</p> <h3> Why use WireGuard? </h3> <ul> <li>A VPN helps protect you from man in the middle attacks.</li> <li>Protect your privacy against ISPs that snoop into your traffic.</li> <li>Get around internet censorship in countries.</li> </ul> <p><strong>Advantages of WireGuard over other VPNs:</strong></p> <ul> <li>It's kernel-based; improved performance.</li> <li>Establishes connections in less than 100ms.</li> <li>Small footprint; can be ran in virtually any device, ie. embedded devices.</li> <li>Easy to configure and deploy as SSH; reduces attack surface since there's less complexity.</li> <li>Uses modern and improved <a href="https://en.wikipedia.org/wiki/WireGuard#Protocol" rel="noopener noreferrer">cryptographic standards</a>.</li> <li>Simple handshake occurring every few minutes to ensure connection secrecy.</li> <li>IP roaming support meaning you can change wifi networks or disconnect from wifi or celluar and the VPN tunnel connection won't be lost. <em>It just works!</em> </li> </ul> <h3> What we'll be going over </h3> <p>This post assumes that you've never installed a VPN service before and we'll be using an Ubuntu machine since it's the most popular distro.</p> <p>This post is pretty verbose! but you can skip to the TLDR; to see the final scripts and configuration files used if you're familiar with the concepts already.</p> <p>The steps outlined in this post are:</p> <ol> <li>Setting up a server</li> <li>Installing WireGuard on server</li> <li>Generating server keys</li> <li>Creating server configuration file</li> <li>Enabling IP forwarding on server</li> <li>Installing WireGuard on client</li> <li>Generating client keys</li> <li>Creating client configuration file</li> <li>Setting client info on server config</li> <li>Starting WireGuard service on server</li> <li>Starting WireGuard service on client</li> <li>Connecting a mobile client to server</li> </ol> <p>Please note that in WireGuard land there is no "server" and "client" in the traditional sense. Rather, computers and devices connected to each other are known as "peers". For simplicity sake, we'll be using "server" to mean the hosted server that will be forwarding all our traffic to, and we'll be using "client" to refer to the home computer that forwards all it's traffic to the server.</p> <h2> Setting up a server </h2> <p>I'll be using a free tier EC2 micro instance from AWS for the example (and tearing down it afterwards). If you have an AWS account you can launch a new instance by going to:</p> <p>EC2 → Launch Instance → t2.micro with Ubuntu → Review and Launch → Launch</p> <p>In this example I'm running Ubuntu 18.04 (Bionic Beaver).</p> <h2> Installing WireGuard on server </h2> <p>To install wireguard on Ubuntu &lt;19.04 run the following comands:</p> <ol> <li><code>sudo add-apt-repository ppa:wireguard/wireguard</code></li> <li><code>sudo apt-get update</code></li> <li><code>sudo apt-get install wireguard</code></li> </ol> <p>If your server is using a different distro then look at the WireGuard <a href="https://www.wireguard.com/install/" rel="noopener noreferrer">installation instructions</a>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ubuntu@ip-172-30-0-233:~<span class="nv">$ </span><span class="nb">sudo </span>add-apt-repository ppa:wireguard/wireguard WireGuard is a novel VPN that runs inside the Linux Kernel. This is the Ubuntu packaging <span class="k">for </span>WireGuard. More info may be found at its website, listed below. More info: https://www.wireguard.com/ Packages: wireguard wireguard-tools wireguard-dkms Install with: <span class="nv">$ </span>apt <span class="nb">install </span>wireguard More info: https://launchpad.net/~wireguard/+archive/ubuntu/wireguard Press <span class="o">[</span>ENTER] to <span class="k">continue </span>or Ctrl-c to cancel adding it. &lt;truncated&gt; Fetched 18.5 MB <span class="k">in </span>4s <span class="o">(</span>4840 kB/s<span class="o">)</span> ubuntu@ip-172-30-0-233:~<span class="nv">$ </span><span class="nb">sudo </span>apt-get update Hit:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic InRelease Hit:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic-updates InRelease Hit:3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic-backports InRelease Hit:4 http://security.ubuntu.com/ubuntu bionic-security InRelease Hit:5 http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic InRelease Reading package lists... Done ubuntu@ip-172-30-0-233:~<span class="nv">$ </span><span class="nb">sudo </span>apt-get <span class="nb">install </span>wireguard Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: &lt;truncated&gt; update-alternatives: using /usr/bin/g++ to provide /usr/bin/c++ <span class="o">(</span>c++<span class="o">)</span> <span class="k">in </span>auto mode Setting up build-essential <span class="o">(</span>12.4ubuntu1<span class="o">)</span> ... Setting up wireguard-dkms <span class="o">(</span>1.0.20200401-1ubuntu1~18.04<span class="o">)</span> ... Loading new wireguard-1.0.20200401 DKMS files... Building <span class="k">for </span>4.15.0-1057-aws Building initial module <span class="k">for </span>4.15.0-1057-aws Done. wireguard: Running module version sanity check. - Original module - No original module exists within this kernel - Installation - Installing to /lib/modules/4.15.0-1057-aws/updates/dkms/ depmod... DKMS: <span class="nb">install </span>completed. Setting up wireguard <span class="o">(</span>1.0.20200319-0ppa1~18.04<span class="o">)</span> ... Processing triggers <span class="k">for </span>libc-bin <span class="o">(</span>2.27-3ubuntu1<span class="o">)</span> ... Processing triggers <span class="k">for </span>man-db <span class="o">(</span>2.8.3-2ubuntu0.1<span class="o">)</span> ... </code></pre> </div> <p>Let's launch a shell as <code>root</code> with <code>sudo -s</code> to avoid having to type sudo every time from now on:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ubuntu@ip-172-30-0-233:~<span class="nv">$ </span><span class="nb">sudo</span> <span class="nt">-s</span> root@ip-172-30-0-233:~# </code></pre> </div> <p>Run <code>wg</code> to check if installation was successful which should <em>not</em> output anything if everything is OK:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-30-0-233:/etc/wireguard/keys# wg root@ip-172-30-0-233:/etc/wireguard/keys# </code></pre> </div> <p>The two WireGuard commands we'll be using are:</p> <ul> <li> <code>wg</code> for configuring WireGuard interfaces.</li> <li> <code>wg-quick</code> for starting and stopping WireGuard VPN tunnels.</li> </ul> <h2> Generating server keys </h2> <p>WireGuard configuration files will live under <code>/etc/wireguard/</code> so let's create a directory named <code>keys</code> there to store the keys we'll generate:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-30-0-233:~# <span class="nb">mkdir</span> /etc/wireguard/keys </code></pre> </div> <p>Go into the <code>/etc/wireguard/keys/</code> directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-30-0-233:~# <span class="nb">cd</span> /etc/wireguard/keys </code></pre> </div> <p>Set the directory user mask to <code>077</code> by running <code>umask 077</code>. A umask of 077 allows read, write, and execute permissions for the file's owner (root in this case), but prohibits read, write, and execute permissions for everyone else and makes sure credentials don't leak in a race condition:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-30-0-233:/etc/wireguard/keys# <span class="nb">umask </span>077 </code></pre> </div> <p>WireGuard uses asymmetric public/private Curve25519 key pairs for authentication between client and server.</p> <p>Use the <code>wg genkey</code> command to generate a private key. We can generate both the private and public key at once by piping the private key output to <code>tee</code> to save it to file but also to forward the private key to <code>wg publickey</code> which derived the public key from a private key and the save it to a file.</p> <p>So the command to run is <code>wg genkey | tee privatekey | wg pubkey &gt; publickey</code> to generate the key pair at once:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-30-0-233:/etc/wireguard/keys# wg genkey | <span class="nb">tee </span>privatekey | wg pubkey <span class="o">&gt;</span> publickey </code></pre> </div> <p>If we do an <code>ls</code> we see there's a <code>privatekey</code> and <code>publickey</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-30-0-233:/etc/wireguard/keys# <span class="nb">ls </span>privatekey publickey </code></pre> </div> <p>Outputting the contents of the private key file shows us the random key it generated in base64 format:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-30-0-233:/etc/wireguard/keys# <span class="nb">cat </span>privatekey wIObajifv6U2emcZsAGNZbbWzkyrs84EEyr+bgmlB3M<span class="o">=</span> </code></pre> </div> <p>Likewise the public key it derived from the private key is in base64 format:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>root@ip-172-30-0-233:/etc/wireguard/keys# cat publickey H6StMJOYIjfqhDvG9v46DSX9UlQl52hOoUm7F3COxC4= </code></pre> </div> <p>We'll be needing the private key for the WireGuard server configuration, and the public key for the client configuration.</p> <h3> Creating server configuration file </h3> <p>Go into the <code>/etc/wireguard/</code> directory and create a new file <code>wg0.conf</code>. WireGuard will create a new network interface named the same as the filename so it's common convention to denote the first WireGuard network interface as <code>wg0</code> for context:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-30-0-233:/etc/wireguard# <span class="nb">touch</span> /etc/wireguard/wg0.conf </code></pre> </div> <p>Open up the server configuration file <code>/etc/wireguard/wg0.conf</code> in your favorite editor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-30-0-233:/etc/wireguard# vim /etc/wireguard/wg0.conf </code></pre> </div> <p>Paste the following configuration into the new config file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[Interface]</span> <span class="py">PrivateKey</span> <span class="p">=</span> <span class="s">&lt;server private key&gt;</span> <span class="py">Address</span> <span class="p">=</span> <span class="s">10.0.0.1/24</span> <span class="py">ListenPort</span> <span class="p">=</span> <span class="s">51820</span> </code></pre> </div> <p>The config files are in standard <a href="https://en.wikipedia.org/wiki/INI_file" rel="noopener noreferrer">INI</a> format.</p> <p>Replace the <code>PrivateKey</code> value with the private key content you generated earlier:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[Interface]</span> <span class="py">PrivateKey</span> <span class="p">=</span> <span class="s">wIObajifv6U2emcZsAGNZbbWzkyrs84EEyr+bgmlB3M=</span> <span class="py">Address</span> <span class="p">=</span> <span class="s">10.0.0.1/24</span> <span class="py">ListenPort</span> <span class="p">=</span> <span class="s">51820</span> </code></pre> </div> <p>The address <code>10.0.0.1</code> was chosen because it's an available private subnet on the server. If your server is using that IP range already, then pick a different address like <code>192.168.2.1</code> to avoid conflicts.</p> <p>To summarize, the server <code>[Interface]</code> section is for configuration the new WireGuard interface we are creating.</p> <ul> <li> <code>PrivateKey</code> is your server's private key.</li> <li> <code>Address</code> is the private network IP address range that we're assigning to for this network interface.</li> <li> <code>ListenPort</code> is the host port to run the service on. This port will need to be publicly accessible. The port <code>51820</code> is the default port.</li> </ul> <p>Make sure to enable the port <code>51820</code> for <code>UDP</code> traffic. If using EC2 then you should allow it under the Security Group for the EC2 instance.</p> <p>EC2 instance → Security groups → Click on security group → Edit inbound rules → Add rules → Custom UDP → Port range: 51820 → Source: Anywhere → Save rules</p> <p>The rules immediately take effect.</p> <p>If your server is behind a NAT then all traffic needs to be forwarded from the default interface to the WireGuard interface.</p> <p>To find out the name of the default interface run <code>ip route</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-30-0-233:/etc/wireguard/keys# ip route | <span class="nb">grep </span>default | <span class="nb">awk</span> <span class="s1">'{print $5}'</span> eth0 </code></pre> </div> <p>Now add forwarding rules for forwarding in the server configuration file using the <code>PostUp</code> and <code>PostDown</code> config settings where <code>PostUp</code> value command is ran when the WireGuard service starts and <code>PostDown</code> value command runs when the service is shutting down.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[Interface]</span> <span class="py">PrivateKey</span> <span class="p">=</span> <span class="s">wIObajifv6U2emcZsAGNZbbWzkyrs84EEyr+bgmlB3M=</span> <span class="py">Address</span> <span class="p">=</span> <span class="s">10.0.0.1/24</span> <span class="py">ListenPort</span> <span class="p">=</span> <span class="s">51820</span> <span class="py">PostUp</span> <span class="p">=</span> <span class="s">iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</span> <span class="py">PostDown</span> <span class="p">=</span> <span class="s">iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE</span> </code></pre> </div> <p>The three iptable rules are:</p> <ul> <li> <code>iptables -A FORWARD -i %i -j ACCEPT</code> for allowing inbound traffic received by the interface.</li> <li> <code>iptables -A FORWARD -o %i -j ACCEPT</code> for allowing outbound traffic from the interface.</li> <li> <code>iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</code> for masking the private IP address of the interface with the external IP address of the default interface.</li> </ul> <h2> Enabling IP forwarding on server </h2> <p>By default IP forwarding is disabled meaning that if the interface receives a packet that wasn't intended for it then it'll reject it. Since we need to pass on packets from one interface to another then we need to allow IP forwarding.</p> <p>Open up the file <code>/etc/sysctl.conf</code> for editing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-30-0-233:/etc/wireguard# vim /etc/sysctl.conf </code></pre> </div> <p>Allow forwarding of IP packets by uncommenting out the line <code>net.ipv4.ip_forward=1</code> near line 28:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="c"># Uncomment the next line to enable packet forwarding for IPv4 </span><span class="py">net.ipv4.ip_forward</span><span class="p">=</span><span class="s">1</span> </code></pre> </div> <p>Run <code>sysctl -p</code> for the changes to take effect without requiring a reboot:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-30-0-233:/etc/wireguard# sysctl <span class="nt">-p</span> net.ipv4.ip_forward <span class="o">=</span> 1 </code></pre> </div> <p>Confirm that IP forwarding is enabled by outputting the contents of <code>/proc/sys/net/ipv4/ip_forward</code> which should return <code>1</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-30-0-233:/etc/wireguard# <span class="nb">cat</span> /proc/sys/net/ipv4/ip_forward 1 </code></pre> </div> <p>The server is almost fully configured. It's only now missing information about the client so let's set up the client next.</p> <h2> Installing WireGuard on client </h2> <p>Jump back to your client machine and install WireGuard. My client machine is running Arch linux but the process will be the same for most linux distros. If you're running Ubuntu on the client then do the same install steps you did on the server above or look at the official WireGuard <a href="https://www.wireguard.com/install/" rel="noopener noreferrer">installation instructions</a>.</p> <p>Ubuntu WireGuard install instructions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>add-apt-repository ppa:wireguard/wireguard <span class="nv">$ </span><span class="nb">sudo </span>apt-get update <span class="nv">$ </span><span class="nb">sudo </span>apt-get <span class="nb">install </span>wireguard </code></pre> </div> <p>If running Arch like I am, then these are the WireGuard install instructions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ sudo pacman -S wireguard-tools wireguard-dkms </code></pre> </div> <p>Let's launch a shell as <code>root</code> with <code>sudo -s</code> to avoid having to type sudo every time from now on:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo</span> <span class="nt">-s</span> <span class="o">[</span>root@archlinux ~]# </code></pre> </div> <h2> Generating client keys </h2> <p>The process of generating WireGuard keys on the client is the same as how it's done on the server. Create the directory <code>/etc/wireguard/keys</code> and set the user mask to <code>077</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>root@archlinux ~]# <span class="nb">mkdir</span> /etc/wireguard/keys <span class="o">[</span>root@archlinux ~]# <span class="nb">cd</span> /etc/wireguard/keys <span class="o">[</span>root@archlinux keys]# <span class="nb">umask </span>077 </code></pre> </div> <p>Generate a private and public key pair for the client using the same command as we did on the server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>root@archlinux keys]# wg genkey | <span class="nb">tee </span>privatekey | wg pubkey <span class="o">&gt;</span> publickey </code></pre> </div> <p>Output the key contents which we'll be needing soon in our configuration files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>root@archlinux keys]# <span class="nb">cat </span>privatekey <span class="nv">cAqmevIKScn5l4Jg1F69KEIty6gVb8wGNqNlApvzc0c</span><span class="o">=</span> <span class="o">[</span>root@archlinux keys]# <span class="nb">cat </span>publickey <span class="nv">vi4TCAo8TNRkpf4ZpiMsp3YHaOLrcouSDkrm4wJxezw</span><span class="o">=</span> </code></pre> </div> <h2> Creating client configuration file </h2> <p>On the client create the configuration <code>/etc/wireguard/wg0.conf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>root@archlinux keys]# vim /etc/wireguard/wg0.conf </code></pre> </div> <p>Paste the configuration into your client configuration file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[Interface]</span> <span class="py">Address</span> <span class="p">=</span> <span class="s">10.0.0.2/32</span> <span class="py">PrivateKey</span> <span class="p">=</span> <span class="s">&lt;client private key&gt;</span> </code></pre> </div> <p>Replace the <code>PrivateKey</code> value with your client's private key:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[Interface]</span> <span class="py">Address</span> <span class="p">=</span> <span class="s">10.0.0.2/32</span> <span class="py">PrivateKey</span> <span class="p">=</span> <span class="s">cAqmevIKScn5l4Jg1F69KEIty6gVb8wGNqNlApvzc0c=</span> </code></pre> </div> <p>Optionally, you can set the DNS resolver to use. We'll set the DNS resolver IP to Cloudflare's public DNS resolver <a href="https://www.cloudflare.com/learning/dns/what-is-1.1.1.1/" rel="noopener noreferrer"><code>1.1.1.1</code></a> which is fast and secure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[Interface]</span> <span class="py">Address</span> <span class="p">=</span> <span class="s">10.0.0.2/32</span> <span class="py">PrivateKey</span> <span class="p">=</span> <span class="s">cAqmevIKScn5l4Jg1F69KEIty6gVb8wGNqNlApvzc0c=</span> <span class="py">DNS</span> <span class="p">=</span> <span class="s">1.1.1.1</span> </code></pre> </div> <p>To summarize, the client <code>[Interface]</code> section is for configuration the new WireGuard interface we are creating.</p> <ul> <li> <code>Address</code> is the private network IP address range that we're assigning to for this network interface.</li> <li> <code>PrivateKey</code> is your client's private key.</li> <li> <code>DNS</code> is the DNS resolve to use.</li> </ul> <h2> Setting server peer on client config </h2> <p>The next step is to set information about the server in the client configuration file under the <code>[Peer]</code> section:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[Interface]</span> <span class="py">Address</span> <span class="p">=</span> <span class="s">10.0.0.2/32</span> <span class="py">PrivateKey</span> <span class="p">=</span> <span class="s">cAqmevIKScn5l4Jg1F69KEIty6gVb8wGNqNlApvzc0c=</span> <span class="py">DNS</span> <span class="p">=</span> <span class="s">1.1.1.1</span> <span class="nn">[Peer]</span> <span class="py">PublicKey</span> <span class="p">=</span> <span class="s">&lt;server public key&gt;</span> <span class="py">Endpoint</span> <span class="p">=</span> <span class="s">&lt;server public ip&gt;:51820</span> <span class="py">AllowedIPs</span> <span class="p">=</span> <span class="s">0.0.0.0/0</span> </code></pre> </div> <p>Replace the <code>PublicKey</code> value to your server's public key and set the <code>Endpoint</code> to be your server's public IP address:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[Interface]</span> <span class="py">Address</span> <span class="p">=</span> <span class="s">10.0.0.2/32</span> <span class="py">PrivateKey</span> <span class="p">=</span> <span class="s">cAqmevIKScn5l4Jg1F69KEIty6gVb8wGNqNlApvzc0c=</span> <span class="py">DNS</span> <span class="p">=</span> <span class="s">1.1.1.1</span> <span class="nn">[Peer]</span> <span class="py">PublicKey</span> <span class="p">=</span> <span class="s">H6StMJOYIjfqhDvG9v46DSX9UlQl52hOoUm7F3COxC4=</span> <span class="py">Endpoint</span> <span class="p">=</span> <span class="s">54.225.123.18:51820</span> <span class="py">AllowedIPs</span> <span class="p">=</span> <span class="s">0.0.0.0/0</span> </code></pre> </div> <p>If your server is behind a NAT and <em>not</em> accessible via a public IP, then under the peer section you'll need to set <code>PersistentKeepalive</code> to keep the connection alive. It's important that you <strong>only set <code>PersistentKeepalive</code> if your server in an internal server</strong>, otherwise you'd be wasting bandwidth and battery life for no good reason.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="py">PersistentKeepalive</span> <span class="p">=</span> <span class="s">25</span> </code></pre> </div> <p>To summarize, the client <code>[Peer]</code> section is for configuration information about the peer it's connecting to, which in this case it's the client connection to the server.</p> <ul> <li> <code>PublicKey</code> is the public key of the server.</li> <li> <code>Endpoint</code> is your server's public IP and port the server's interface is listening, configured with <code>ListenPort</code> in the server's config.</li> <li> <code>AllowedIPs</code> is the IP range to allow forwarding from. Setting it to <code>0.0.0.0/0</code> will forward all traffic over the tunnel.</li> <li> <code>PersistentKeepalive</code> is the interval to periodically send keepalive packets to the server.</li> </ul> <p>If you're not sure what your server's public address is, you can do an IP lookup by doing a DNS query request to <code>myip.opendns.com</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-30-0-233:/etc/wireguard# dig +short myip.opendns.com @resolver1.opendns.com 54.225.123.18 </code></pre> </div> <p>If your server is an EC2 instance, you get query the metadata endpoint to get the public IP address:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-30-0-233:/etc/wireguard# curl http://169.254.169.254/latest/meta-data/public-ipv4 54.225.123.18 </code></pre> </div> <h2> Setting client peer on server config </h2> <p>Go back into the server and edit the config. We're going to add information about the client so that the server and client can authenticate with each other.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-30-0-233:/etc/wireguard/keys# vim /etc/wireguard/wg0.conf </code></pre> </div> <p>Add the <code>[Peer]</code> section to the server config:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[Interface]</span> <span class="py">PrivateKey</span> <span class="p">=</span> <span class="s">wIObajifv6U2emcZsAGNZbbWzkyrs84EEyr+bgmlB3M=</span> <span class="py">Address</span> <span class="p">=</span> <span class="s">10.0.0.1/24</span> <span class="py">ListenPort</span> <span class="p">=</span> <span class="s">51820</span> <span class="py">PostUp</span> <span class="p">=</span> <span class="s">iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</span> <span class="py">PostDown</span> <span class="p">=</span> <span class="s">iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE</span> <span class="nn">[Peer]</span> <span class="py">PublicKey</span> <span class="p">=</span> <span class="s">&lt;client public key&gt;</span> <span class="py">AllowedIPs</span> <span class="p">=</span> <span class="s">10.0.0.2/32</span> </code></pre> </div> <p>Replace the <code>PublicKey</code> value with your client's public key:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[Interface]</span> <span class="py">PrivateKey</span> <span class="p">=</span> <span class="s">wIObajifv6U2emcZsAGNZbbWzkyrs84EEyr+bgmlB3M=</span> <span class="py">Address</span> <span class="p">=</span> <span class="s">10.0.0.1/24</span> <span class="py">ListenPort</span> <span class="p">=</span> <span class="s">51820</span> <span class="py">PostUp</span> <span class="p">=</span> <span class="s">iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</span> <span class="py">PostDown</span> <span class="p">=</span> <span class="s">iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE</span> <span class="nn">[Peer]</span> <span class="py">PublicKey</span> <span class="p">=</span> <span class="s">vi4TCAo8TNRkpf4ZpiMsp3YHaOLrcouSDkrm4wJxezw=</span> <span class="py">AllowedIPs</span> <span class="p">=</span> <span class="s">10.0.0.2/32</span> </code></pre> </div> <p>To summarize, the server <code>[Peer]</code> section is for configuration information about the peer it's connecting to, which in this case it's the servers connection to the client.</p> <ul> <li> <code>PublicKey</code> is the client's public key.</li> <li> <code>AllowedIPs</code> are allowed client IP addresses.</li> </ul> <h2> Starting WireGuard service on server </h2> <p>Now that the server has the client peer information we can start the WireGuard service with <code>wg-quick up wg0</code> on the server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-30-0-233:/etc/wireguard/keys# wg-quick up wg0 <span class="o">[</span><span class="c">#] ip link add wg0 type wireguard</span> <span class="o">[</span><span class="c">#] wg setconf wg0 /dev/fd/63</span> <span class="o">[</span><span class="c">#] ip -4 address add 10.0.0.1/24 dev wg0</span> <span class="o">[</span><span class="c">#] ip link set mtu 8921 up dev wg0</span> <span class="o">[</span><span class="c">#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</span> </code></pre> </div> <p>To start WireGuard across reboots you'll need to <em>enable</em> the service to add it to the systemd init system by running <code>systemctl enable wg-quick@wg0.service</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-30-0-233:/etc/wireguard/keys# systemctl <span class="nb">enable </span>wg-quick@wg0.service Created symlink /etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service → /lib/systemd/system/wg-quick@.service. </code></pre> </div> <p>Check the status by running <code>systemctl status wg-quick@wg0.service</code> and if you see <em>Active: active (exited)</em> then if everything is good so far:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-30-0-233:/etc/wireguard/keys# systemctl status wg-quick@wg0.service ● wg-quick@wg0.service - WireGuard via wg-quick<span class="o">(</span>8<span class="o">)</span> <span class="k">for </span>wg0 Loaded: loaded <span class="o">(</span>/lib/systemd/system/wg-quick@.service<span class="p">;</span> indirect<span class="p">;</span> vendor preset: enabled<span class="o">)</span> Active: active <span class="o">(</span>exited<span class="o">)</span> since Thu 2020-04-02 06:35:22 UTC<span class="p">;</span> 1s ago Docs: man:wg-quick<span class="o">(</span>8<span class="o">)</span> man:wg<span class="o">(</span>8<span class="o">)</span> https://www.wireguard.com/ https://www.wireguard.com/quickstart/ https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8 https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8 Process: 10730 <span class="nv">ExecStart</span><span class="o">=</span>/usr/bin/wg-quick up wg0 <span class="o">(</span><span class="nv">code</span><span class="o">=</span>exited, <span class="nv">status</span><span class="o">=</span>0/SUCCESS<span class="o">)</span> Main PID: 10730 <span class="o">(</span><span class="nv">code</span><span class="o">=</span>exited, <span class="nv">status</span><span class="o">=</span>0/SUCCESS<span class="o">)</span> Apr 02 06:35:21 ip-172-30-0-233 systemd[1]: Starting WireGuard via wg-quick<span class="o">(</span>8<span class="o">)</span> <span class="k">for </span>wg0... Apr 02 06:35:22 ip-172-30-0-233 wg-quick[10730]: <span class="o">[</span><span class="c">#] ip link add wg0 type wireguard</span> Apr 02 06:35:22 ip-172-30-0-233 wg-quick[10730]: <span class="o">[</span><span class="c">#] wg setconf wg0 /dev/fd/63</span> Apr 02 06:35:22 ip-172-30-0-233 wg-quick[10730]: <span class="o">[</span><span class="c">#] ip -4 address add 10.0.0.1/24 dev wg0</span> Apr 02 06:35:22 ip-172-30-0-233 wg-quick[10730]: <span class="o">[</span><span class="c">#] ip link set mtu 8921 up dev wg0</span> Apr 02 06:35:22 ip-172-30-0-233 wg-quick[10730]: <span class="o">[</span><span class="c">#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; ipt</span> Apr 02 06:35:22 ip-172-30-0-233 systemd[1]: Started WireGuard via wg-quick<span class="o">(</span>8<span class="o">)</span> <span class="k">for </span>wg0. </code></pre> </div> <p>Verify that new iproute rules have been applied with <code>iptables -L -n</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-30-0-233:/etc/wireguard# iptables <span class="nt">-L</span> <span class="nt">-n</span> Chain INPUT <span class="o">(</span>policy ACCEPT<span class="o">)</span> target prot opt <span class="nb">source </span>destination Chain FORWARD <span class="o">(</span>policy ACCEPT<span class="o">)</span> target prot opt <span class="nb">source </span>destination ACCEPT all <span class="nt">--</span> 0.0.0.0/0 0.0.0.0/0 ACCEPT all <span class="nt">--</span> 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT <span class="o">(</span>policy ACCEPT<span class="o">)</span> target prot opt <span class="nb">source </span>destination </code></pre> </div> <p>Running the command <code>ifconfig</code> shows the new network interface <code>wg0</code> with the internal IP address we specified <code>10.0.0.1</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-30-0-233:/etc/wireguard# ifconfig eth0: <span class="nv">flags</span><span class="o">=</span>4163&lt;UP,BROADCAST,RUNNING,MULTICAST&gt; mtu 9001 inet 172.30.0.233 netmask 255.255.255.0 broadcast 172.30.0.255 inet6 fe80::1097:5bff:fe30:d57 prefixlen 64 scopeid 0x20&lt;<span class="nb">link</span><span class="o">&gt;</span> ether 12:97:5b:30:0d:57 txqueuelen 1000 <span class="o">(</span>Ethernet<span class="o">)</span> RX packets 1151269 bytes 524679242 <span class="o">(</span>524.6 MB<span class="o">)</span> RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1022229 bytes 345390292 <span class="o">(</span>345.3 MB<span class="o">)</span> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: <span class="nv">flags</span><span class="o">=</span>73&lt;UP,LOOPBACK,RUNNING&gt; mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10&lt;host&gt; loop txqueuelen 1000 <span class="o">(</span>Local Loopback<span class="o">)</span> RX packets 526 bytes 48787 <span class="o">(</span>48.7 KB<span class="o">)</span> RX errors 0 dropped 0 overruns 0 frame 0 TX packets 526 bytes 48787 <span class="o">(</span>48.7 KB<span class="o">)</span> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wg0: <span class="nv">flags</span><span class="o">=</span>209&lt;UP,POINTOPOINT,RUNNING,NOARP&gt; mtu 8921 inet 10.0.0.1 netmask 255.255.255.0 destination 10.0.0.1 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 <span class="o">(</span>UNSPEC<span class="o">)</span> RX packets 0 bytes 0 <span class="o">(</span>0.0 B<span class="o">)</span> RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 <span class="o">(</span>0.0 B<span class="o">)</span> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 </code></pre> </div> <h2> Starting WireGuard service on client </h2> <p>First take note of your current public IP address on the client machine:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>root@archlinux wireguard]# dig +short myip.opendns.com @resolver1.opendns.com 65.88.88.4 </code></pre> </div> <p>After we start the WireGuard service on the client then the public IP address will be resolved to the server's public IP address.</p> <p>Start the WireGuard service using <code>wg-quick</code> just like we did previously on the server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>root@archlinux wireguard]# wg-quick up wg0 </code></pre> </div> <p>Now that WireGuard is running, check the public IP address again of the client and it should now be the public IP address of the server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>root@archlinux wireguard]# dig +short myip.opendns.com @resolver1.opendns.com 54.225.123.18 </code></pre> </div> <p><strong>Success!</strong> WireGuard is correctly configured and the peers are connected.</p> <h2> Connecting a mobile client to server </h2> <p>Download the WireGuard app for <a href="https://apps.apple.com/us/app/wireguard/id1441195209" rel="noopener noreferrer">iOS</a> or <a href="https://play.google.com/store/apps/details?id=com.wireguard.android&amp;hl=en_US" rel="noopener noreferrer">Android</a> on your device.</p> <p>For this example we'll create a second client (an iPhone) to connect to the WireGuard server. The same steps will need to be followed from when we setup the first client.</p> <p>We can generate keys directly on the device and set up the configuration manually but that's not quick and ideal. Instead we can generate the keys and configuration on the server and then securely transfer the information into the WireGuard app.</p> <p>Run <code>wg genkey</code> but specify different filenames this time to distinguish them from the server keys:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-30-0-233:/etc/wireguard# <span class="nb">cd</span> /etc/wireguard/keys root@ip-172-30-0-233:/etc/wireguard/keys# wg genkey | <span class="nb">tee </span>iphone_privatekey | wg pubkey <span class="o">&gt;</span> iphone_publickey root@ip-172-30-0-233:/etc/wireguard/keys# <span class="nb">cat </span>iphone_privatekey kFnMqMSiAluwb/xWgemXhjLh/II/sb92OoYCbh7yaWw<span class="o">=</span> root@ip-172-30-0-233:/etc/wireguard/keys# <span class="nb">cat </span>iphone_publickey cKIxzfp5ESpdM34vT2Qk/S7yvprOff6Le4YnyOTI4B8<span class="o">=</span> </code></pre> </div> <p>Open up the server config <code>/etc/wireguard/wg0.conf</code> in your favorite editor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-30-0-233:/etc/wireguard/keys# vim /etc/wireguard/wg0.conf </code></pre> </div> <p>Add the second peer section and include the client's public key and IP address:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[Interface]</span> <span class="py">PrivateKey</span> <span class="p">=</span> <span class="s">wIObajifv6U2emcZsAGNZbbWzkyrs84EEyr+bgmlB3M=</span> <span class="py">Address</span> <span class="p">=</span> <span class="s">10.0.0.1/24</span> <span class="py">ListenPort</span> <span class="p">=</span> <span class="s">51820</span> <span class="py">PostUp</span> <span class="p">=</span> <span class="s">iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</span> <span class="py">PostDown</span> <span class="p">=</span> <span class="s">iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE</span> <span class="nn">[Peer]</span> <span class="py">PrivateKey</span> <span class="p">=</span> <span class="s">wIObajifv6U2emcZsAGNZbbWzkyrs84EEyr+bgmlB3M=</span> <span class="py">AllowedIPs</span> <span class="p">=</span> <span class="s">10.0.0.2/32</span> <span class="nn">[Peer]</span> <span class="py">PublicKey</span> <span class="p">=</span> <span class="s">cKIxzfp5ESpdM34vT2Qk/S7yvprOff6Le4YnyOTI4B8=</span> <span class="py">AllowedIPs</span> <span class="p">=</span> <span class="s">10.0.0.3/32</span> </code></pre> </div> <p>Create a new configuration file for the iPhone client on the server. We'll name it <code>wgo-iphone.conf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-30-0-233:/etc/wireguard/keys# vim /etc/wireguard/wg0-iphone.conf </code></pre> </div> <p>Paste client configuration but remember to use a different private IP that differs from the first client.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[Interface]</span> <span class="py">PrivateKey</span> <span class="p">=</span> <span class="s">kFnMqMSiAluwb/xWgemXhjLh/II/sb92OoYCbh7yaWw=</span> <span class="py">Address</span> <span class="p">=</span> <span class="s">10.0.0.3/32</span> <span class="py">DNS</span> <span class="p">=</span> <span class="s">1.1.1.1</span> <span class="nn">[Peer]</span> <span class="py">PublicKey</span> <span class="p">=</span> <span class="s">H6StMJOYIjfqhDvG9v46DSX9UlQl52hOoUm7F3COxC4=</span> <span class="py">Endpoint</span> <span class="p">=</span> <span class="s">54.225.123.18:51820</span> <span class="py">AllowedIPs</span> <span class="p">=</span> <span class="s">0.0.0.0/0</span> </code></pre> </div> <p>Install <a href="https://github.com/fukuchi/libqrencode" rel="noopener noreferrer">qrencode</a> on the server to generate a QRCode from the configuration file.</p> <p>You'll be scanning this qrcode in the WireGuard app to download the configuration. This is a safer way to transport credentials since the keys and configuration files don't need to be zipped and moved.</p> <p>Generate the text based qrcode image in your terminal with <code>qrencode -t ansiutf8 &lt; wg0-iphone.conf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ip-172-30-0-233:/etc/wireguard# qrencode <span class="nt">-t</span> ansiutf8 &lt; wg0-iphone.conf &lt;qrcode image&gt; </code></pre> </div> <p>In the WireGuard app go to: Add a tunnel → Create from QRCode</p> <p>Scan the qrcode code generated in the terminal and make sure to <em>Allow</em> the VPN configuration in the settings popup.</p> <p>Enable the VPN by toggling on the switch.</p> <p>Visit <a href="https://ipchicken.com/" rel="noopener noreferrer">ipchicken.com</a> in the browser to verify the public iP address has changed.</p> <h2> Generating vanity addresses </h2> <p>It's easy to lose track of which keys belong to which devices since they all look like random strings. To make it easier to associate keys to devices you can use this <a href="https://github.com/warner/wireguard-vanity-address" rel="noopener noreferrer">vanity address generator</a> to generate public keys that contain a custom array of characters.</p> <p>For example, we'll generate a key pair where the public key starts with "iPho" to denote that it's a key pair to be used on the iPhone client.</p> <p>First install the vanity address generator with <a href="https://crates.io/" rel="noopener noreferrer">cargo</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>cargo <span class="nb">install </span>wireguard-vanity-address </code></pre> </div> <p>Now just specify the list of characters that you want in the public key base64 output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>wireguard-vanity-address ipho searching <span class="k">for</span> <span class="s1">'ipho'</span> <span class="k">in </span>pubkey[0..10], one of every 149796 keys should match one trial takes 83.6 us, CPU cores available: 8 est yield: 1.6 seconds per key, 638.83e-3 keys/s hit Ctrl-C to stop private YPpudjAoVCnaPUJdcEVhj5Ttedq7WP1ozL+ZdtuTC1g<span class="o">=</span> public <span class="nv">cHklbipHoMS9CA8XlRdKMBOOIfQC28Ut8SVyYsqmox0</span><span class="o">=</span> private <span class="nv">kD6FSIZehv1DKJ28MKJQcmSDdd69U3s4s11ymtP1Ekc</span><span class="o">=</span> public iPHoaaQye7+OJNq/TfOvXjMr99pq9ADDDlGynRQ6KQ8<span class="o">=</span> private <span class="nv">aEJ33LXCeipouhiAoQjfMjtwrHPfZDvKLguE8XlawnY</span><span class="o">=</span> public iPHoEoUy4WgkUXr4e47IkA06IZqVI/AqHNS2RZlGhHM<span class="o">=</span> ^C </code></pre> </div> <p>It'll keep generating until you manually stop it when you see a key pair that you like.</p> <h2> Automation </h2> <p>A nice tool to automate the process of setting up a WireGuard VPN is <a href="https://github.com/trailofbits/algo" rel="noopener noreferrer">Algo</a>.</p> <p>Algo is a set of <a href="https://github.com/ansible/ansible" rel="noopener noreferrer">Ansible</a> scripts to help you set up and configure WireGuard on the remote server from your local machine.</p> <p>To get started, clone the algo repository and install the python dependencies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>~<span class="nv">$ </span>git clone https://github.com/trailofbits/algo.git ~<span class="nv">$ </span><span class="nb">cd </span>algo/ ~/algo<span class="nv">$ </span>pip <span class="nb">install </span>virtualenv ~/algo<span class="nv">$ </span>python3 <span class="nt">-m</span> virtualenv <span class="nt">--python</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">command</span> <span class="nt">-v</span> python3<span class="si">)</span><span class="s2">"</span> .env <span class="o">&amp;&amp;</span> <span class="nb">source</span> .env/bin/activate <span class="o">&amp;&amp;</span> python3 <span class="nt">-m</span> pip <span class="nb">install</span> <span class="nt">-U</span> pip virtualenv <span class="o">&amp;&amp;</span> python3 <span class="nt">-m</span> pip <span class="nb">install</span> <span class="nt">-r</span> requirements.txt </code></pre> </div> <p>Now run the algo executable file to start the walkthough of deploying an Algo server to the cloud:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">(</span>.env<span class="o">)</span> ~/algo<span class="nv">$ </span>./algo <span class="o">[</span>Cloud prompt] What provider would you like to use? 1. DigitalOcean 2. Amazon Lightsail 3. Amazon EC2 4. Microsoft Azure 5. Google Compute Engine 6. Hetzner Cloud 7. Vultr 8. Scaleway 9. OpenStack <span class="o">(</span>DreamCompute optimised<span class="o">)</span> 10. CloudStack <span class="o">(</span>Exoscale optimised<span class="o">)</span> 11. Install to existing Ubuntu 18.04 or 19.10 server <span class="o">(</span><span class="k">for </span>more advanced <span class="nb">users</span><span class="o">)</span> Enter the number of your desired provider : &lt;truncated&gt; </code></pre> </div> <h2> Troubleshooting </h2> <p><em>The following are additional steps users reported they needed to take after getting the following errors.</em></p> <p>If you tried <code>wg-quick up wg0</code> and received the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ubuntu:/etc/wireguard# wg-quick up wg0 <span class="o">[</span><span class="c">#] ip link add wg0 type wireguard</span> RTNETLINK answers: Operation not supported Unable to access interface: Protocol not supported <span class="o">[</span><span class="c">#] ip link delete dev wg0</span> Cannot find device <span class="s2">"wg0"</span> </code></pre> </div> <p>The error <em>"RNETLINK answers: Operation not supported"</em> when trying to start the wg0 interface could mean that you need install you install additional kernel modules that are required.</p> <p>To install the required wireguard kernel modules on Ubuntu, run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ubuntu:/etc/wireguard# apt-get <span class="nb">install </span>wireguard-dkms wireguard-tools linux-headers-<span class="si">$(</span><span class="nb">uname</span> <span class="nt">-r</span><span class="si">)</span> </code></pre> </div> <p>Running <code>modprobe wireguard</code> should <em>not</em> output anything if the kernel modules were installed successful:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ubuntu:/etc/wireguard# modprobe wireguard </code></pre> </div> <p>If you're seeing errors then there's a chance that the <a href="https://wiki.ubuntu.com/UEFI/SecureBoot" rel="noopener noreferrer">Secure Boot</a> feature is blocking the unsigned WireGuard kernel module. To fix this you'll need to disable Secure Boot or sign the WireGuard module for the kernel to trust it. See this <a href="https://askubuntu.com/questions/891248/ubuntu-16-04-how-can-i-disable-secure-boot" rel="noopener noreferrer">answer</a> for instructions.</p> <p>After rebooting try loading the interface with the <code>ip link</code> command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ubuntu:/etc/wireguard# ip <span class="nb">link </span>add dev wg0 <span class="nb">type </span>wireguard </code></pre> </div> <p>There should be no output if successful.</p> <p>If you tried <code>wg-quick up wg0</code> and received the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ubuntu:/etc/wireguard# wg-quick up wg0 <span class="o">[</span><span class="c">#] ip link add configfile type wireguard</span> <span class="o">[</span><span class="c">#] wg setconf configfile /dev/fd/63</span> <span class="o">[</span><span class="c">#] ip address add 10.0.0.1/24 dev configfile</span> <span class="o">[</span><span class="c">#] ip link set mtu 1420 dev configfile</span> <span class="o">[</span><span class="c">#] ip link set configfile up</span> <span class="o">[</span><span class="c">#] resolvconf -a configfile -m 0 -x</span> /usr/bin/wg-quick: line 31: resolvconf: <span class="nb">command </span>not found <span class="o">[</span><span class="c">#] ip link delete dev configfile</span> </code></pre> </div> <p>it could mean that <code>resolveconf</code> is not installed on your machine, so you'll need to install the <code>openresolv</code> package:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@ubuntu:/etc/wireguard# apt-get <span class="nb">install </span>openresolv </code></pre> </div> <p>See this <a href="https://github.com/StreisandEffect/streisand/issues/1434" rel="noopener noreferrer">Github issue</a> thread for more context.</p> <h2> TLDR; </h2> <p>Here's a summary of the server and client configuration and commands used in this post:</p> <h3> Server </h3> <p>Server commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo</span> <span class="nt">-s</span> apt-get <span class="nb">install </span>wireguard <span class="nb">mkdir</span> <span class="nt">-p</span> /etc/wireguard/keys <span class="nb">cd</span> /etc/wireguard/keys <span class="nb">umask </span>077 wg genkey | <span class="nb">tee </span>privatekey | wg pubkey <span class="o">&gt;</span> publickey vim /etc/wireguard/wg0.conf <span class="c"># see server config below</span> vim /etc/sysctl.conf <span class="c"># uncomment line "net.ipv4.ip_forward=1"</span> sysctl <span class="nt">-p</span> wg-quick up wg0 systemctl <span class="nb">enable </span>wg-quick@wg0.service </code></pre> </div> <p>Server config <code>/etc/wireguard/wg0.conf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[Interface]</span> <span class="py">PrivateKey</span> <span class="p">=</span> <span class="s">&lt;server private key&gt;</span> <span class="py">Address</span> <span class="p">=</span> <span class="s">10.0.0.1/24</span> <span class="py">ListenPort</span> <span class="p">=</span> <span class="s">51820</span> <span class="py">PostUp</span> <span class="p">=</span> <span class="s">iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</span> <span class="py">PostDown</span> <span class="p">=</span> <span class="s">iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE</span> <span class="nn">[Peer]</span> <span class="py">PublicKey</span> <span class="p">=</span> <span class="s">&lt;client public key&gt;</span> <span class="py">AllowedIPs</span> <span class="p">=</span> <span class="s">10.0.0.2/32</span> </code></pre> </div> <h3> Client </h3> <p>Client commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo</span> <span class="nt">-s</span> apt-get <span class="nb">install </span>wireguard <span class="nb">mkdir</span> <span class="nt">-p</span> /etc/wireguard/keys <span class="nb">cd</span> /etc/wireguard/keys <span class="nb">umask </span>077 wg genkey | <span class="nb">tee </span>privatekey | wg pubkey <span class="o">&gt;</span> publickey vim /etc/wireguard/wg0.conf <span class="c"># see client config below</span> wg-quick up wg0 </code></pre> </div> <p>Client config <code>/etc/wireguard/wg0.conf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[Interface]</span> <span class="py">PrivateKey</span> <span class="p">=</span> <span class="s">&lt;client private key&gt;</span> <span class="py">Address</span> <span class="p">=</span> <span class="s">10.0.0.2/32</span> <span class="py">DNS</span> <span class="p">=</span> <span class="s">1.1.1.1</span> <span class="nn">[Peer]</span> <span class="py">PublicKey</span> <span class="p">=</span> <span class="s">&lt;server public key&gt;</span> <span class="py">Endpoint</span> <span class="p">=</span> <span class="s">&lt;server public ip&gt;:51820</span> <span class="py">AllowedIPs</span> <span class="p">=</span> <span class="s">0.0.0.0/0</span> </code></pre> </div> <h2> Resources </h2> <ul> <li><a href="https://www.wireguard.com/" rel="noopener noreferrer">WireGuard site</a></li> <li><a href="https://github.com/warner/wireguard-vanity-address" rel="noopener noreferrer">WireGuard vanity address generator</a></li> <li><a href="https://apps.apple.com/us/app/wireguard/id1441195209" rel="noopener noreferrer">WireGuard for iOS</a></li> <li><a href="https://play.google.com/store/apps/details?id=com.wireguard.android&amp;hl=en_US" rel="noopener noreferrer">WireGuard for Android</a></li> <li><a href="https://apps.apple.com/us/app/wireguard/id1451685025?mt=12" rel="noopener noreferrer">WireGuard for macOS</a></li> <li><a href="https://download.wireguard.com/windows-client/" rel="noopener noreferrer">WireGuard for Windows</a></li> <li><a href="https://github.com/fukuchi/libqrencode" rel="noopener noreferrer">libqrencode</a></li> <li><a href="https://github.com/trailofbits/algo" rel="noopener noreferrer">Algo</a></li> </ul> wireguard vpn linux tutorial Miguel Fri, 20 Sep 2019 07:42:24 +0000 https://dev.to/miguelmota/understanding-cross-origin-resource-sharing-cors-2i3e https://dev.to/miguelmota/understanding-cross-origin-resource-sharing-cors-2i3e <p><em>Cross-Origin Resource Sharing</em> (<a href="https://en.wikipedia.org/wiki/Cross-origin_resource_sharing" rel="noopener noreferrer">CORS</a>) is a way of making HTTP requests from one place to another. Historically browsers have only allowed requests in JavaScript to be made from the same domain enforced by the same-origin policy which prevents cross-origin type of requests.</p> <p>CORS gives the server authority of who can make requests and what type of requests are allowed. Browsers are the clients that enforce CORS policies. </p> <p>The server can configure:</p> <ul> <li>Which domains are allowed to make the HTTP request</li> <li>Which HTTP methods are allowed (GET, POST, PUT, DELETE, etc).</li> <li>Which headers are allowed on the request.</li> <li>Whether or not requests may include cookie information.</li> <li>Which response headers the client can read.</li> </ul> <p>Intro TLDR;</p> <blockquote> <p><strong>CORS allows for restricted resources on a server to be accessed by a client on a different host.</strong></p> </blockquote> <h4> We'll be covering all that things that you need to know about CORS beyond <code>Access-Control-Allow-Origin: *</code> in this tutorial. Yes there's a lot to learn! </h4> <h2> Same-Origin vs Cross-Origin </h2> <p>For simplification purposes, a <em>same-origin</em> request is like 2 people in a house communicating. </p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fauagpeeq2v4ow4r5irxa.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fauagpeeq2v4ow4r5irxa.png" alt="Same-origin communication example"></a></p> <p>There's no communication barrier between the Alice and Bob since they are in the same house (the same origin).</p> <p><strong>VS</strong></p> <p>A <em>cross-origin</em> request is like having 2 different houses and a person from one house communicating from a person on the other house.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmtuicde86yiddurbb20o.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmtuicde86yiddurbb20o.png" alt="Cross-origin communication example"></a></p> <p>Since Bob wants to communicate with Charlie who lives in a different house then it's considered cross-origin communication because the homes live in different origins. And since Bob is initiating the call then the house Charlie is in needs to approve Bobs call.</p> <p>TLDR;</p> <blockquote> <p><strong>A same-origin request is when the request is made from a host to the same host while a cross-origin request is when the request is made from a host to a different host.</strong></p> </blockquote> <h3> Same-origin request </h3> <p>As an example, let's first make a same-origin request. We'll create a simple server offering an endpoint for the client and serving an HTML page. <em>Throughout this this tutorial we'll be using Node.js and the <a href="https://expressjs.com/" rel="noopener noreferrer">express</a> server for simplicity sake.</em></p> <p>File <code>server.js</code></p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">port</span> <span class="o">=</span> <span class="mi">8000</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">static</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">))</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/posts</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">([</span> <span class="p">{</span><span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="dl">'</span><span class="s1">foo</span><span class="dl">'</span><span class="p">},</span> <span class="p">{</span><span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="dl">'</span><span class="s1">bar</span><span class="dl">'</span><span class="p">},</span> <span class="p">])</span> <span class="p">})</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="nx">port</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`listening on port </span><span class="p">${</span><span class="nx">port</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">})</span> </code></pre> </div> <p>File <code>index.html</code></p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html</span> <span class="na">lang=</span><span class="s">"en-US"</span><span class="nt">&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;meta</span> <span class="na">charset=</span><span class="s">"UTF-8"</span><span class="nt">&gt;</span> <span class="nt">&lt;title&gt;&lt;/title&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="p">(</span><span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">http://localhost:8000/api/posts</span><span class="dl">'</span><span class="p">)</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="p">})()</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>node server.js listening on port 8000 </code></pre> </div> <p>If you visit <a href="http://localhost:8000/" rel="noopener noreferrer">http://localhost:8000/</a> you can see the request was successful. Nothing crazy and expected because it's from the same origin.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiw1dpjte9ffowub65yaj.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiw1dpjte9ffowub65yaj.png" alt="No CORS Error"></a></p> <h3> Cross-origin request </h3> <p>Now to show a cross-origin request let's spin up a new server to server the HTML file listening on a different port.</p> <p>File <code>server2.js</code></p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">port</span> <span class="o">=</span> <span class="mi">9000</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">static</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">))</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="nx">port</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`listening on port </span><span class="p">${</span><span class="nx">port</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>node server.js listening on port 8000 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>node server2.js listening on port 9000 </code></pre> </div> <p>Let's see what happens when we visit the second server's webpage at <a href="http://localhost:9000/" rel="noopener noreferrer">http://localhost:9000/</a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmtigi5zs2t21dbkujw7z.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmtigi5zs2t21dbkujw7z.png" alt="CORS Error"></a></p> <p>The browser threw the error: </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Access to fetch at 'http://localhost:8000/api/posts' from origin 'http://localhost:9000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled. </code></pre> </div> <p>To demonstrate why this happened, let's see how the browser and server communicate with a simple chat example.</p> <p><strong>Browser:</strong> "hello server <strong><a href="http://127.0.0.1:8000" rel="noopener noreferrer">http://127.0.0.1:8000</a></strong> please give me the data at /api/posts and let me know if the client at <strong><a href="http://localhost:9000" rel="noopener noreferrer">http://localhost:9000</a></strong> can access it. Here's the HTTP message:"</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Get /api/posts HTTTP1.1 User-Agent: Chrome Host: 127.0.0.1:8000 Accept: */* Origin: http://localhost:9000 </code></pre> </div> <p><strong>Server:</strong> "here is the data, and the client cannot have access because I don't have the origin <strong><a href="http://localhost:9000" rel="noopener noreferrer">http://localhost:9000</a></strong> as an allowed origin to access the data."</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> HTTP/1.1 200 OK </code></pre> </div> <p>The server responds with the data but the browser will not give it to the JavaScript client unless the server says that the client is allowed based on their origin.</p> <p>What server has to do to allow cross-origin requests is set the <code>Access-Control-Allow-Origin</code> response header. </p> <p>So let's try again by setting up CORS on the server now by adding a new header to every request. We'll be adding the <code>Access-Control-Allow-Origin</code> with a wildcard <code>*</code> value which tells the browser that any origin can access the resource.</p> <p>File <code>server.js</code></p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">port</span> <span class="o">=</span> <span class="mi">8000</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">static</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">))</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Origin</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="nf">next</span><span class="p">()</span> <span class="p">})</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/posts</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">([</span> <span class="p">{</span><span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="dl">'</span><span class="s1">foo</span><span class="dl">'</span><span class="p">},</span> <span class="p">{</span><span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="dl">'</span><span class="s1">bar</span><span class="dl">'</span><span class="p">},</span> <span class="p">])</span> <span class="p">})</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="nx">port</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`listening on port </span><span class="p">${</span><span class="nx">port</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">})</span> </code></pre> </div> <p>Restart the server:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>node server.js listening on port 8000 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>node server2.js listening on port 9000 </code></pre> </div> <p>Side note: <code>server2.js</code> will not be changing throughout this tutorial so you can leave it running. We'll only be changing <code>server.js</code> from now on.</p> <p>Ok, now let's see what happens when we visit the second server's webpage at <a href="http://localhost:9000/" rel="noopener noreferrer">http://localhost:9000/</a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb3zwbpe30jj9g17xaw16.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb3zwbpe30jj9g17xaw16.png" alt="No CORS Error using allow origin header"></a></p> <p>To demonstrate why it works now, let's see how the browser and server communicate with a simple chat example again.</p> <p><strong>Browser:</strong> "hello server <strong><a href="http://127.0.0.1:8000" rel="noopener noreferrer">http://127.0.0.1:8000</a></strong> please give me the data at /api/posts and let me know if the client at <strong><a href="http://localhost:9000" rel="noopener noreferrer">http://localhost:9000</a></strong> can access it. Here's the HTTP message:"</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Get /api/posts HTTTP1.1 User-Agent: Chrome Host: 127.0.0.1:8000 Accept: */* Origin: http://localhost:9000 </code></pre> </div> <p><strong>Server:</strong> "here is the data, and yes any client can have access:"</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> HTTP/1.1 200 OK Access-Control-Allow-Origin: * </code></pre> </div> <h2> Access-Control-Allow-Origin </h2> <p>The most important CORS headers are:</p> <ul> <li>The <code>Origin</code> request header</li> <li>The<code>Access-Control-Allow-Origin</code> response header</li> </ul> <p>The origin is the host which is composed of the protocol, hostname, and port:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Origin = protocol + hostname + port </code></pre> </div> <p>Example protocols:</p> <ul> <li>http</li> <li>https</li> </ul> <p>Example hostnames:</p> <ul> <li>localhost</li> <li>example.com</li> <li>foo.example.com</li> </ul> <p>Example ports:</p> <ul> <li>80</li> <li>443</li> <li>8000</li> </ul> <p>Example origins:</p> <ul> <li><a href="http://localhost:3000" rel="noopener noreferrer">http://localhost:3000</a></li> <li><a href="https://example.com" rel="noopener noreferrer">https://example.com</a></li> <li><a href="https://example.com:8000" rel="noopener noreferrer">https://example.com:8000</a></li> <li><a href="https://foo.example.com:8000" rel="noopener noreferrer">https://foo.example.com:8000</a></li> </ul> <p>The value <code>null</code> can be used a valid value for <code>Origin</code> when the browser origin can't be determined such as when using an absolute file path like <code>file:///Users/alice/wwww/index.html</code></p> <p>Browsers don't allow changing the origin header otherwise the client can pretend to be someone else.</p> <p>The value of the <code>Access-Control-Allow-Origin</code> header can either be a wildcard or an origin value.</p> <p>Example of valid headers:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Access-Control-Allow-Origin: * Access-Control-Allow-Origin: http://localhost:8000 Access-Control-Allow-Origin: http://example.com Access-Control-Allow-Origin: null </code></pre> </div> <p>You can only have one value so having multiple values like this is not valid:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> # Not valid values, can't have multiple! Access-Control-Allow-Origin: http://localhost:8000, http://example.com </code></pre> </div> <p>To support multiple origins, you'll have to replace the header value dynamically with the current origin who's making the request.</p> <p>For example, you would first check if the origin is whitelisted and then set the header:</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">if </span><span class="p">(</span><span class="nx">whitelist</span><span class="p">.</span><span class="nf">contains</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">origin</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Origin</span><span class="dl">'</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">origin</span><span class="dl">'</span><span class="p">))</span> <span class="p">}</span> </code></pre> </div> <p>For localhost entries you can use a regular expression to match all port numbers, for example</p> <p>The regex <code>/^http://\/\/localhost(:\d+)?$/i</code> matches</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> http://localhost http://localhost:1 http://localhost:10 http://localhost:100 http://localhost:1000 http://localhost:2000 etc </code></pre> </div> <p>You can use a hardcoded whitelist, regular expressions, or database query. A blacklist is better than nothing but not recommended.</p> <p>Steps for origin validation:</p> <ul> <li>Read value from <code>Origin</code> header</li> <li>Validate origin using whitelist</li> <li>Set origin to value of <code>Access-Control-Allow-Origin</code> </li> </ul> <p>You can add <code>null</code> to your whitelist if you don't care that the origin is not set.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Access-Control-Allow-Origin: null </code></pre> </div> <p>TLDR;</p> <blockquote> <p><strong>Use the <code>Access-Control-Allow-Origin</code> header to tell the browser which origins are allowed to access the data.</strong></p> </blockquote> <h2> Preflight requests </h2> <p>For certain HTTP methods, the browser asks for permissions by doing what is known as a <em><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Preflighted_requests" rel="noopener noreferrer">preflight request</a></em>. If the browser approves the response from the preflight request then the actual request is made. If the browser doesn't approve the response from the preflight request then the actual request is never made.</p> <p>HTTP methods that trigger a preflight request are:</p> <ul> <li><code>PUT</code></li> <li><code>PATCH</code></li> <li><code>DELETE</code></li> <li><code>TRACE</code></li> </ul> <p>HTTP methods that don't trigger a preflight request are known as <em><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Simple_requests" rel="noopener noreferrer">simple requests</a></em> which are:</p> <ul> <li><code>HEAD</code></li> <li><code>GET</code></li> <li><code>POST</code></li> </ul> <p>A preflight request is a small request to the server from the browser before the main request and contains information such as which HTTP method is used and if any http headers are present. The server determines if the browser should send the actual request by returning a 2xx HTTP status code or return an error indicating that the client should not send the actual request.</p> <p><strong>The preflight request protects servers from receiving cross-origin requests they may not want.</strong> If a server is CORS-enabled it will know how to handle a preflight request and can respond accordingly. If the server doesn't understand or care about CORS then the server won't send the correct preflight response.</p> <p>The preflight request uses the <code>OPTIONS</code> HTTP method.</p> <p><strong>A preflight is triggered when:</strong></p> <ul> <li><p>The client request is using a method other than <code>GET</code>, <code>POST</code> or <code>HEAD</code> (which are known as <em>simple methods</em>)</p></li> <li> <p>Client sets the <code>Content-Type</code> request header with values other than:</p> <ul> <li><code>application/x-www-form-urencoded</code></li> <li><code>multipart/form-data</code></li> <li><code>text/plain</code></li> </ul> </li> <li> <p>Client sets additional request headers that are not:</p> <ul> <li><code>Accept</code></li> <li><code>Accept-Language</code></li> <li><code>Content-Language</code></li> </ul> </li> </ul> <p>Preflight responses should be in the <code>200</code> range (HTTP code 204 is standard) and contain no body. Containing a body can also confuse developers.</p> <p>Let make a <code>DELETE</code> request to demonstrate a preflight request. First we'll check if the request is a preflight request. And if it is then return the HTTP <code>204 No Content</code> status code.</p> <p>File <code>server.js</code></p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">port</span> <span class="o">=</span> <span class="mi">8000</span> <span class="kd">const</span> <span class="nx">isPreflight</span> <span class="o">=</span> <span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="nx">req</span><span class="p">.</span><span class="nx">method</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">OPTIONS</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">origin</span><span class="dl">'</span><span class="p">]</span> <span class="o">&amp;&amp;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">access-control-request-method</span><span class="dl">'</span><span class="p">]</span> <span class="p">)</span> <span class="p">}</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">static</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">))</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Origin</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nf">isPreflight</span><span class="p">(</span><span class="nx">req</span><span class="p">))</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">204</span><span class="p">).</span><span class="nf">end</span><span class="p">()</span> <span class="k">return</span> <span class="p">}</span> <span class="nf">next</span><span class="p">()</span> <span class="p">})</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/posts</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">([</span> <span class="p">{</span><span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="dl">'</span><span class="s1">foo</span><span class="dl">'</span><span class="p">},</span> <span class="p">{</span><span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="dl">'</span><span class="s1">bar</span><span class="dl">'</span><span class="p">},</span> <span class="p">])</span> <span class="p">})</span> <span class="nx">app</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/posts</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span><span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">})</span> <span class="p">})</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="nx">port</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`listening on port </span><span class="p">${</span><span class="nx">port</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">})</span> </code></pre> </div> <p>File <code>index.html</code></p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html</span> <span class="na">lang=</span><span class="s">"en-US"</span><span class="nt">&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;meta</span> <span class="na">charset=</span><span class="s">"UTF-8"</span><span class="nt">&gt;</span> <span class="nt">&lt;title&gt;&lt;/title&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="p">(</span><span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">http://localhost:8000/api/posts</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">DELETE</span><span class="dl">'</span> <span class="p">})</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="p">})()</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <p>Restart the server:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>node server.js listening on port 8000 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>node server2.js listening on port 9000 </code></pre> </div> <p>Now let's see what happens when we visit the second server's webpage at <a href="http://localhost:9000/" rel="noopener noreferrer">http://localhost:9000/</a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F47557vriunrfyuamr0a4.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F47557vriunrfyuamr0a4.png" alt="CORS Error when missing headers"></a></p> <p>We can see the error saying that the method <code>DELETE</code> is not allowed by CORS:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Access to fetch at 'http://localhost:8000/api/posts' from origin 'http://localhost:9000' has been blocked by CORS policy: Method DELETE is not allowed by Access-Control-Allow-Methods in preflight response. </code></pre> </div> <p>Remember, that simple requests such as <code>GET</code>, <code>POST</code>, or <code>HEAD</code> don't initiate a preflight request and they are automatically allowed methods by CORS but methods such as <code>DELETE</code> or <code>PUT</code> need to be explicit allowed by the server. </p> <p>To allow the <code>DELETE</code> method to be performed by the client we'll need to add the response header <code>Access-Control-Allow-Methods</code> in the preflight request.</p> <p>File <code>server.js</code></p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Origin</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nf">isPreflight</span><span class="p">(</span><span class="nx">req</span><span class="p">))</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Methods</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DELETE</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// Add this!</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">204</span><span class="p">).</span><span class="nf">end</span><span class="p">()</span> <span class="k">return</span> <span class="p">}</span> <span class="nf">next</span><span class="p">()</span> <span class="p">})</span> </code></pre> </div> <p>And now the the <code>DELETE</code> request works as expected:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7jif4lp94q122rr62cnb.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7jif4lp94q122rr62cnb.png" alt="No CORS Error with allow method header"></a></p> <p>Notice the different number of requests made in the two screenshots.</p> <ul> <li>In the first screenshot, the preflight request failed so the actual <code>DELETE</code> request was never made, creating only 1 request.</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqokv1w39njdm8haw4std.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqokv1w39njdm8haw4std.png" alt="Preflight fail"></a></p> <ul> <li>In the second screenshot, the preflight request succeeded so the actual <code>DELETE</code> request was made, creating 2 requests.</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fig5lsjpgaxk3oyxse993.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fig5lsjpgaxk3oyxse993.png" alt="Preflight success"></a></p> <p><strong>To reject a preflight request:</strong></p> <ul> <li>Leave out the <code>Access-Control-Allow-Origin</code> header.</li> <li>Return a value in <code>Access-Control-Allow-Methods</code> that doesn't match <code>Access-Control-Request-Method</code> header.</li> <li>If preflight request has an <code>Access-Control-Request-Header</code> <ul> <li>Leave out the <code>Access-Control-Allow-Headers</code> header.</li> <li>Return a value in the <code>Access-Control-Allow-Headers</code> header that doesn't match the <code>Access-Control-Request-Headers</code> header.</li> </ul> </li> </ul> <p>Both preflight response and actual response need the <code>Access-Control-Allow-Origin</code> header.</p> <p>The browser may cache the preflight response from the first request to a resource from that origin to avoid sending additional queries all the time.</p> <p>Preflights are stateless, meaning that the actual request doesn't contain any information connecting it to the preflight request.</p> <p>Preflight requests will never follow redirects. If trying to make a preflight request but server tries to redirect then the preflight request will fail. You can manually inspect the <code>Location</code> header to see where the server is trying to redirect you to. Only simple CORS requests (GET, POST, HEAD) will follow redirects.</p> <p>If redirect is the same server, then the <code>Origin</code> header will stay the same, otherwise it will be set to <code>null</code>.</p> <p>TLDR;</p> <blockquote> <p><strong>A preflight request determines if the client is allowed to make the actual request based on what the server allows. The request must be an <code>OPTIONS</code> method, have the <code>Access-Control-Request-Method</code> header (such as <code>DELETE</code> or <code>PUT</code>), and contain the <code>Origin</code> header to be considered a preflight request.</strong></p> </blockquote> <h2> Access-Control-Request-Method </h2> <p>The <code>Access-Control-Request-Method</code> is a single request header value that asks permission to use a specific HTTP method. This header is set by the browser when the client sends a non-simple method request. </p> <p>The <code>Access-Control-Request-Method</code> is only sent in the preflight request.</p> <p>The screenshot below shows the <code>Access-Control-Request-Method</code> request header in the preflight request and shows the response header <code>Access-Control-Allow-Methods</code> in the preflight response from when we did the <code>DELETE</code> request earlier.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpmgwcoi7jcbrmysgn98t.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpmgwcoi7jcbrmysgn98t.png" alt="CORS preflight Access-Control-Request-Method"></a></p> <p>Use accurate preflight headers to protect your server from unexpected requests. If your server only allows <code>GET</code> requests then don't put other headers in the <code>Access-Control-Allow-Methods</code> header.</p> <p>TLDR;</p> <blockquote> <p><strong>The browser will send the <code>Access-Control-Request-Method</code> request header in the preflight request to let the server know it's intending to use the requested method in the actual request. If the server allows that method, then the browser will make the actual request.</strong></p> </blockquote> <h2> Access-Control-Allow-Methods </h2> <p>The <code>Access-Control-Allow-Methods</code> is used in preflight requests to tell the client which methods are allowed with CORS. </p> <p>For example, having the <code>Access-Control-Allow-Methods: DELETE</code> header indicates the server allows the client to make <code>DELETE</code> requests to the URL.</p> <p>The <code>Access-Control-Allow-Methods</code> request header can have multiple values, for example:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Access-Control-Allow-Methods: HEAD, GET, POST, PUT, PATCH, DELETE </code></pre> </div> <p>Remember that <code>GET</code>, <code>POST</code>, and <code>HEAD</code> are simple methods and always allowed so having them in the header is redundant and unnecessary, but some people like having them in the header because it's more to clear to them and avoids confusion.</p> <p>Example showing PUT and DELETE (in addition to simple methods) as allowed:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fseb5ytnuzvm30sw3p9kn.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fseb5ytnuzvm30sw3p9kn.png" alt="Allowed methods"></a></p> <p>TLDR;</p> <blockquote> <p><strong>The server should respond with the <code>Access-Control-Allow-Methods</code> response header to let the browser know which HTTP methods the client is allowed to make.</strong></p> </blockquote> <h2> Access-Control-Request-Headers </h2> <p>The <code>Access-Control-Request-Headers</code> request header is sent in the preflight request to let the server know which headers the client will be sending in the actual response. </p> <p>Let's try to send a custom header to the server.</p> <p>File <code>index.html</code></p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html</span> <span class="na">lang=</span><span class="s">"en-US"</span><span class="nt">&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;meta</span> <span class="na">charset=</span><span class="s">"UTF-8"</span><span class="nt">&gt;</span> <span class="nt">&lt;title&gt;&lt;/title&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="p">(</span><span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">http://localhost:8000/api/posts</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Headers</span><span class="p">({</span> <span class="dl">'</span><span class="s1">My-Custom-Header</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">hello world</span><span class="dl">'</span> <span class="p">})</span> <span class="p">})</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="p">})()</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <p>Now let's see what happens when we visit the second server's webpage at <a href="http://localhost:9000/" rel="noopener noreferrer">http://localhost:9000/</a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0dvvbwne5kmg5qsai4zy.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0dvvbwne5kmg5qsai4zy.png" alt="CORS Error when using custom header"></a></p> <p>The browser responds with the error:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Access to fetch at 'http://localhost:8000/api/posts' from origin 'http://localhost:9000' has been blocked by CORS policy: Request header field my-custom-header is not allowed by Access-Control-Allow-Headers in preflight response. </code></pre> </div> <p>Since browsers enforce CORS policies, the headers that cannot be set by JavaScript are:</p> <ul> <li><code>Accept-Charset</code></li> <li><code>Accept-Encoding</code></li> <li><code>Access-Control-Request-Headers</code></li> <li><code>Access-Control-Request-Method</code></li> <li><code>Connection</code></li> <li><code>Content-Length</code></li> <li><code>Cookie</code></li> <li><code>Cookie2</code></li> <li><code>Date</code></li> <li><code>DNT</code></li> <li><code>Expect</code></li> <li><code>Host</code></li> <li><code>Keep-Alive</code></li> <li><code>Origin</code></li> <li><code>Referer</code></li> <li><code>TE</code></li> <li><code>Trailer</code></li> <li><code>Transfer-Encoding</code></li> <li><code>Upgrade</code></li> <li><code>User-Agent</code></li> <li><code>Via</code></li> <li>headers starting with <code>Proxy-</code> or <code>Sec-</code> </li> </ul> <p>These headers can only be set by the browser because they have special meaning. The browser will simply ignore the value that you set for those headers.</p> <p>For other headers, the server will have to give permission to the client to include custom request headers on the cross-origin request.</p> <p>We can see that the browser asked permission to access the custom header in the preflight request with the header <code>Access-Control-Request-Headers</code>:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu2uqb8afyk9cq9hg91aq.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu2uqb8afyk9cq9hg91aq.png" alt="Preflight request header"></a></p> <p>The server needs to whitelist approved custom request headers and if doesn't whitelist the request headers then the request will fail.</p> <p>If doing a same-origin request, then the request can include any custom request header since the origin is trusted.</p> <p>By default CORS only allows the client to read these response headers:</p> <ul> <li><code>Cache-Control</code></li> <li><code>Content-Language</code></li> <li><code>Content-Type</code></li> <li><code>Expires</code></li> <li><code>Last-Modified</code></li> <li><code>Pragma</code></li> </ul> <p>If the server sets additional response headers then the client won't be able to see them. In order for the client to see additional response headers then the server to expose those headers which we'll go over in a bit.</p> <p>So to have the server be able to accept the client's custom header, it needs to explicitly allow that header by setting the response header <code>Access-Control-Allow-Headers</code> in the preflight response.</p> <p>File <code>server.js</code></p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">port</span> <span class="o">=</span> <span class="mi">8000</span> <span class="kd">const</span> <span class="nx">isPreflight</span> <span class="o">=</span> <span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="nx">req</span><span class="p">.</span><span class="nx">method</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">OPTIONS</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">origin</span><span class="dl">'</span><span class="p">]</span> <span class="o">&amp;&amp;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">access-control-request-method</span><span class="dl">'</span><span class="p">]</span> <span class="p">)</span> <span class="p">}</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">static</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">))</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Origin</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nf">isPreflight</span><span class="p">(</span><span class="nx">req</span><span class="p">))</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Methods</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DELETE</span><span class="dl">'</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Headers</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">My-Custom-Header</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// Add this!</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">204</span><span class="p">).</span><span class="nf">end</span><span class="p">()</span> <span class="k">return</span> <span class="p">}</span> <span class="nf">next</span><span class="p">()</span> <span class="p">})</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/posts</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">([</span> <span class="p">{</span><span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="dl">'</span><span class="s1">foo</span><span class="dl">'</span><span class="p">},</span> <span class="p">{</span><span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="dl">'</span><span class="s1">bar</span><span class="dl">'</span><span class="p">},</span> <span class="p">])</span> <span class="p">})</span> <span class="nx">app</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/posts</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span><span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">})</span> <span class="p">})</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="nx">port</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`listening on port </span><span class="p">${</span><span class="nx">port</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">})</span> </code></pre> </div> <p>Restart the server:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>node server.js listening on port 8000 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>node server2.js listening on port 9000 </code></pre> </div> <p>Now let's see what happens when we visit the second server's webpage at <a href="http://localhost:9000/" rel="noopener noreferrer">http://localhost:9000/</a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmm400f666mhwc644etk3.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmm400f666mhwc644etk3.png" alt="No CORS error with allowed headers"></a></p> <p>The preflight responds with the allowed headers so the browser proceeds to make the actual request sending the custom request header.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw9k57y0aeacp473s1a7b.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw9k57y0aeacp473s1a7b.png" alt="Allow headers"></a></p> <p>Remember that headers starting with <code>Access-Control-Request-</code> are request headers by the browser asking for permission by the server and headers starting with <code>Access-Control-Allow-</code> are response headers sent by the server granting permissions to the browser.</p> <p><code>Access-Control-Allow-Headers</code> only needs to be present on preflight responses.</p> <p>TLDR;</p> <blockquote> <p><strong>The browser sends a <code>Access-Control-Request-Headers</code> request header in the preflight request to let the server know that the actual request will request the specified headers. If the server denies those headers to be requested, then the actual request will not be sent.</strong></p> </blockquote> <h2> Access-Control-Expose-Headers </h2> <p>The <code>Access-Control-Allow-Headers</code> header is used by the preflight to indicate which headers are allowed on the request while the <code>Access-Control-Expose-Headers</code> header is used by the actual response to indicate which response headers are visible to the client. </p> <p>The client won't be able to read a a response header if the server doesn't set in the expose header.</p> <p>Headers that are always exposed to the client are <em>simple headers</em> which are:</p> <ul> <li><code>Cache-Control</code></li> <li><code>Content-Language</code></li> <li><code>Content-Type</code></li> <li><code>Expires</code></li> <li><code>Last-Modified</code></li> <li><code>Pragma</code></li> </ul> <p>As an example let's try to read all the response headers on the client:</p> <p>File <code>index.html</code></p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html</span> <span class="na">lang=</span><span class="s">"en-US"</span><span class="nt">&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;meta</span> <span class="na">charset=</span><span class="s">"UTF-8"</span><span class="nt">&gt;</span> <span class="nt">&lt;title&gt;&lt;/title&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="p">(</span><span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">http://localhost:8000/api/posts</span><span class="dl">'</span><span class="p">)</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nb">Array</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">entries</span><span class="p">()))</span> <span class="p">})()</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <p>Now let's see what happens when we visit the second server's webpage at <a href="http://localhost:9000/" rel="noopener noreferrer">http://localhost:9000/</a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6s47xudgke8175ok9ep2.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6s47xudgke8175ok9ep2.png" alt="Client headers"></a></p> <p>Nothing surprising yet, we get back standard headers.</p> <p>Let's set a custom response header on the server side.</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">port</span> <span class="o">=</span> <span class="mi">8000</span> <span class="kd">const</span> <span class="nx">isPreflight</span> <span class="o">=</span> <span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="nx">req</span><span class="p">.</span><span class="nx">method</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">OPTIONS</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">origin</span><span class="dl">'</span><span class="p">]</span> <span class="o">&amp;&amp;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">access-control-request-method</span><span class="dl">'</span><span class="p">]</span> <span class="p">)</span> <span class="p">}</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">static</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">))</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Origin</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nf">isPreflight</span><span class="p">(</span><span class="nx">req</span><span class="p">))</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Methods</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DELETE</span><span class="dl">'</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Headers</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">My-Custom-Header</span><span class="dl">'</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">204</span><span class="p">).</span><span class="nf">end</span><span class="p">()</span> <span class="k">return</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Timezone-Offset</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">240</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// Add this!</span> <span class="p">}</span> <span class="nf">next</span><span class="p">()</span> <span class="p">})</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/posts</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">([</span> <span class="p">{</span><span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="dl">'</span><span class="s1">foo</span><span class="dl">'</span><span class="p">},</span> <span class="p">{</span><span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="dl">'</span><span class="s1">bar</span><span class="dl">'</span><span class="p">},</span> <span class="p">])</span> <span class="p">})</span> <span class="nx">app</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/posts</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span><span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">})</span> <span class="p">})</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="nx">port</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`listening on port </span><span class="p">${</span><span class="nx">port</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">})</span> </code></pre> </div> <p>Now let's see what happens when we visit the second server's webpage at <a href="http://localhost:9000/" rel="noopener noreferrer">http://localhost:9000/</a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6s47xudgke8175ok9ep2.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6s47xudgke8175ok9ep2.png" alt="Client headers"></a></p> <p>Wait, we just see the same headers. The new header wasn't provided. Well this is because the server needs to set which headers are allowed to be read by the client with the <code>Access-Control-Expose-Headers</code> response header.</p> <p>Let's add <code>Access-Control-Expose-Headers</code> as a regular response header to tell the browser that the client is allowed to read the custom header:</p> <p>File <code>server.js</code></p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">port</span> <span class="o">=</span> <span class="mi">8000</span> <span class="kd">const</span> <span class="nx">isPreflight</span> <span class="o">=</span> <span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="nx">req</span><span class="p">.</span><span class="nx">method</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">OPTIONS</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">origin</span><span class="dl">'</span><span class="p">]</span> <span class="o">&amp;&amp;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">access-control-request-method</span><span class="dl">'</span><span class="p">]</span> <span class="p">)</span> <span class="p">}</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">static</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">))</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Origin</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nf">isPreflight</span><span class="p">(</span><span class="nx">req</span><span class="p">))</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Methods</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DELETE</span><span class="dl">'</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Headers</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">My-Custom-Header</span><span class="dl">'</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">204</span><span class="p">).</span><span class="nf">end</span><span class="p">()</span> <span class="k">return</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Expose-Headers</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Timezone-Offset</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// Add this!</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Timezone-Offset</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">240</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="nf">next</span><span class="p">()</span> <span class="p">})</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/posts</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">([</span> <span class="p">{</span><span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="dl">'</span><span class="s1">foo</span><span class="dl">'</span><span class="p">},</span> <span class="p">{</span><span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="dl">'</span><span class="s1">bar</span><span class="dl">'</span><span class="p">},</span> <span class="p">])</span> <span class="p">})</span> <span class="nx">app</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/posts</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span><span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">})</span> <span class="p">})</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="nx">port</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`listening on port </span><span class="p">${</span><span class="nx">port</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">})</span> </code></pre> </div> <p>Restart the server:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>node server.js listening on port 8000 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>node server2.js listening on port 9000 </code></pre> </div> <p>Now let's see what happens when we visit the second server's webpage at <a href="http://localhost:9000/" rel="noopener noreferrer">http://localhost:9000/</a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxstjuhxk8bk1a7j4glwm.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxstjuhxk8bk1a7j4glwm.png" alt="No CORS error reading custom headers"></a></p> <p>We can now read the custom header the server sent to the browser in the client.</p> <p>TLDR;</p> <blockquote> <p><strong>Use <code>Access-Control-Expose-Headers</code> to allow the client to read additional non-simple headers.</strong></p> </blockquote> <h2> Access-Control-Max-Age </h2> <p>The <code>Access-Control-Max-Age</code> header indicates how long in seconds a preflight response should stay cached. Let's tell the browser to cache preflight response for 2 minutes (120 seconds) by setting the header <code>Access-Control-Max-Age</code> in the preflight response.</p> <p>File <code>server.js</code></p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Origin</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nf">isPreflight</span><span class="p">(</span><span class="nx">req</span><span class="p">))</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Methods</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DELETE</span><span class="dl">'</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Headers</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">My-Custom-Header</span><span class="dl">'</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Max-Age</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">120</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// Add this!</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">204</span><span class="p">).</span><span class="nf">end</span><span class="p">()</span> <span class="k">return</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Expose-Headers</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Timezone-Offset</span><span class="dl">'</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Timezone-Offset</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">240</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="nf">next</span><span class="p">()</span> <span class="p">})</span> </code></pre> </div> <p>Restart the server:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>node server.js listening on port 8000 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>node server2.js listening on port 9000 </code></pre> </div> <p>We can see the <code>Access-Control-Max-Age</code> header in the preflight response header:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb4mpxba165zorclnkux1.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb4mpxba165zorclnkux1.png" alt="CORS Max Age"></a></p> <p>Firefox doesn't allow items to be cached longer than 24 hours while Chrome, Opera, and Safari cache items for a maximum of 5 minutes. If the <code>Access-Control-Max-Age</code> isn't specified then Firefox doesn't cache the preflight while Chrome, Opera, and Safari cache the preflight for 5 seconds.</p> <p>Maximize the <code>Access-Control-Max-Age</code> header for a better mobile experience by reducing number of network requests. </p> <p>To prevent proxy servers from caching responses from one client and sending them to a different client, use the <code>Vary: Origin</code> response header to indicate that the <code>Access-Control-Allow-Origin</code> will differ and should not be cached</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Vary: Origin </code></pre> </div> <p>For example:</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">if </span><span class="p">(</span><span class="nf">isPreflight</span><span class="p">(</span><span class="nx">req</span><span class="p">))</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">whitelist</span><span class="p">.</span><span class="nf">contains</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">origin</span><span class="dl">'</span><span class="p">)))</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Origin</span><span class="dl">'</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">origin</span><span class="dl">'</span><span class="p">))</span> <span class="p">}</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Vary</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Origin</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Origin</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>TDLR;</p> <blockquote> <p><strong>The <code>Access-Control-Max-Age</code> tells the browser how long in seconds to cache preflight responses for.</strong></p> </blockquote> <h2> Access-Control-Allow-Credentials </h2> <p>The <code>Access-Control-Allow-Credentials</code> header is used to allow the client to send sensitive information like cookies in cross-origin requests.</p> <p>Cookies require additional configuration for security and safety reason because they contain sensitive information. It would be dangerous to accidentally send personal information to a website on a different origin if opt-in was enabled all the time.</p> <p>The JavaScript <code>document.cookie</code> API cannot read or write the value from another origin. Calling <code>document.cookie</code> only returns the clients own cookies and not the cross-origin cookies. Cookies themselves use the same-origin policy and each cookie has a path and a domain and only pages that match the path and domain can read the cookie.</p> <p>Cookies work best in situations where:</p> <ul> <li>You want to authorize users within your own ecosystem of clients and servers.</li> <li>You know exactly which clients will be accessing your server.</li> </ul> <p>Websites identify users through user credentials, with the most popular form being the cookie. Servers use cookies to store a unique identifier that identifies the use such as a session ID tied to a user ID.</p> <p>The same-origin HTTP request will always contain the cookie but cross-origin doesn't contain cookie by default.</p> <p>Enable the credentials option in the client side to send:</p> <ul> <li>Cookies</li> <li>Basic authentication</li> <li>Client-side SSL certs</li> </ul> <p>Let's set a cookie on the server and read the cookie on the client. For this example let's do it on the GET request for the posts. The response header for the cookie will be a simple key/value that can be read from any path.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Set-Cookie: username=alice; Path=/ </code></pre> </div> <p>File <code>server.js</code></p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">port</span> <span class="o">=</span> <span class="mi">8000</span> <span class="kd">const</span> <span class="nx">isPreflight</span> <span class="o">=</span> <span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="nx">req</span><span class="p">.</span><span class="nx">method</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">OPTIONS</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">origin</span><span class="dl">'</span><span class="p">]</span> <span class="o">&amp;&amp;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">access-control-request-method</span><span class="dl">'</span><span class="p">]</span> <span class="p">)</span> <span class="p">}</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">static</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">))</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Origin</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nf">isPreflight</span><span class="p">(</span><span class="nx">req</span><span class="p">))</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Methods</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DELETE</span><span class="dl">'</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Headers</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">My-Custom-Header</span><span class="dl">'</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Max-Age</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">120</span><span class="dl">'</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">204</span><span class="p">).</span><span class="nf">end</span><span class="p">()</span> <span class="k">return</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Expose-Headers</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Timezone-Offset</span><span class="dl">'</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Timezone-Offset</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">240</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="nf">next</span><span class="p">()</span> <span class="p">})</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/posts</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Set-Cookie</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">username=alice; Path=/</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// Add this!</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">([</span> <span class="p">{</span><span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="dl">'</span><span class="s1">foo</span><span class="dl">'</span><span class="p">},</span> <span class="p">{</span><span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="dl">'</span><span class="s1">bar</span><span class="dl">'</span><span class="p">},</span> <span class="p">])</span> <span class="p">})</span> <span class="nx">app</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/posts</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span><span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">})</span> <span class="p">})</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="nx">port</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`listening on port </span><span class="p">${</span><span class="nx">port</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">})</span> </code></pre> </div> <p>File <code>index.html</code></p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html</span> <span class="na">lang=</span><span class="s">"en-US"</span><span class="nt">&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;meta</span> <span class="na">charset=</span><span class="s">"UTF-8"</span><span class="nt">&gt;</span> <span class="nt">&lt;title&gt;&lt;/title&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="p">(</span><span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">http://localhost:8000/api/posts</span><span class="dl">'</span><span class="p">)</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">)</span> <span class="p">})()</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <p>Restart the server:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>node server.js listening on port 8000 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>node server2.js listening on port 9000 </code></pre> </div> <p>Now let's see what happens when we visit the second server's webpage at <a href="http://localhost:9000/" rel="noopener noreferrer">http://localhost:9000/</a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1rwm18jsm3kowhihwwiu.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1rwm18jsm3kowhihwwiu.png" alt="No cookies read"></a></p> <p>Nothing was logged! That's because cookies are allowed to be read by default on cross-origin requests. We can tell the server that we wish to read the cookies by setting <code>credentials: 'include'</code> on the fetch request options.</p> <p>In the JavaScript fetch call you'll need to set <code>credentials: 'include'</code> to send cookies on cross-origin requests. If using <code>XMLHttpRequest</code> then you need to set <code>withCredentials: true</code>.</p> <p>File <code>index.html</code></p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html</span> <span class="na">lang=</span><span class="s">"en-US"</span><span class="nt">&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;meta</span> <span class="na">charset=</span><span class="s">"UTF-8"</span><span class="nt">&gt;</span> <span class="nt">&lt;title&gt;&lt;/title&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="p">(</span><span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">http://localhost:8000/api/posts</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">credentials</span><span class="p">:</span> <span class="dl">'</span><span class="s1">include</span><span class="dl">'</span> <span class="p">})</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">)</span> <span class="p">})()</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <p>Now let's see what happens when we visit the second server's webpage at <a href="http://localhost:9000/" rel="noopener noreferrer">http://localhost:9000/</a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk10pises36leopjfzquc.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk10pises36leopjfzquc.png" alt="Cookies read wildcard error"></a></p> <p>We get the error:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Access to fetch at 'http://localhost:8000/api/posts' from origin 'http://localhost:9000' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. </code></pre> </div> <p>Which means that in order for the client to read cookies, the <code>Access-Control-Allow-Origin</code> cannot be a wildcard <code>*</code> and it has to be explicitly set to the origin that's allowed to read the cookies.</p> <p>Easy enough we can dynamically set the allowed origin to be the origin in the request header. In real world application you would be more secure and set to a whitelist of origins allowed to read cookies.</p> <p>File <code>server.js</code></p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// res.set('Access-Control-Allow-Origin', '*') // remove this!</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Origin</span><span class="dl">'</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">origin</span><span class="dl">'</span><span class="p">))</span> <span class="c1">// Add this!</span> <span class="k">if </span><span class="p">(</span><span class="nf">isPreflight</span><span class="p">(</span><span class="nx">req</span><span class="p">))</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Methods</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DELETE</span><span class="dl">'</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Headers</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">My-Custom-Header</span><span class="dl">'</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Max-Age</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">120</span><span class="dl">'</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">204</span><span class="p">).</span><span class="nf">end</span><span class="p">()</span> <span class="k">return</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Expose-Headers</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Timezone-Offset</span><span class="dl">'</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Timezone-Offset</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">240</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="nf">next</span><span class="p">()</span> <span class="p">})</span> </code></pre> </div> <p>Restart the server:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>node server.js listening on port 8000 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>node server2.js listening on port 9000 </code></pre> </div> <p>Now let's see what happens when we visit the second server's webpage at <a href="http://localhost:9000/" rel="noopener noreferrer">http://localhost:9000/</a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frv5bt3ljddabny3te8z1.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frv5bt3ljddabny3te8z1.png" alt="Cookies credentials header error"></a></p> <p>We get the following error:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Access to fetch at 'http://localhost:8000/api/posts' from origin 'http://localhost:9000' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'. </code></pre> </div> <p>This is because the browser needs to know that the server allows cookies to be read from cross-origin requests.</p> <p>To enable cookie support the server must have the <code>Access-Control-Allow-Credentials</code> header set to <code>true</code> in order to indicate that the client is allowed to read cookies as well as that the server allows to receive cookies.</p> <p>The only only value that the header <code>Access-Control-Allow-Credentials</code> can have is <code>true</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Access-Control-Allow-Credentials: true </code></pre> </div> <p>File <code>server.js</code></p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Origin</span><span class="dl">'</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">origin</span><span class="dl">'</span><span class="p">))</span> <span class="k">if </span><span class="p">(</span><span class="nf">isPreflight</span><span class="p">(</span><span class="nx">req</span><span class="p">))</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Methods</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DELETE</span><span class="dl">'</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Headers</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">My-Custom-Header</span><span class="dl">'</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Max-Age</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">120</span><span class="dl">'</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">204</span><span class="p">).</span><span class="nf">end</span><span class="p">()</span> <span class="k">return</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Expose-Headers</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Timezone-Offset</span><span class="dl">'</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Access-Control-Allow-Credentials</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">true</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// Add this!</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Timezone-Offset</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">240</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="nf">next</span><span class="p">()</span> <span class="p">})</span> </code></pre> </div> <p>Restart the server:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>node server.js listening on port 8000 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>node server2.js listening on port 9000 </code></pre> </div> <p>Now let's see what happens when we visit the second server's webpage at <a href="http://localhost:9000/" rel="noopener noreferrer">http://localhost:9000/</a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8t613sb6ijhkd99kbrl9.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8t613sb6ijhkd99kbrl9.png" alt="Cookies read by client"></a></p> <p>The client can now read the cookies!</p> <p>We can see <code>Access-Control-Allow-Credentials</code> set to <code>true</code> and <code>Access-Control-Allow-Origin</code> set to the actual origin instead of the wildcard which both headers are required for cookies to be allowed on the client. </p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F75bi3abi162qtyjxrk1h.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F75bi3abi162qtyjxrk1h.png" alt="Credentials include header"></a></p> <p>The <code>Access-Control-Allow-Credentials</code> header can be present on both the preflight and actual request but the cookie will only be sent on the actual request. The header is only needed on the non-preflight response.</p> <p>TLDR;</p> <blockquote> <p><strong>Set the response header <code>Access-Control-Allow-Credentials: true</code> to allow the client to read sensitive information like cookies. Use <code>credentials: 'include' if using the fetch API or use</code>withCredentials: true<code>if using the XMLHttpRequest API.</code>Access-Control-Allow-Origin` can't be a wildcard when requesting credentials.</strong></p> </blockquote> <h2> CSRF </h2> <p>CSRF tokens are an unguessable token shared between the client and the server to protect against <a href="https://en.wikipedia.org/wiki/Cross-site_request_forgery" rel="noopener noreferrer">cross-site request forgery</a> (CSRF) attacks. The server serves the page to the client with the token as a header and the client sends the CSRF token on each request. If the server can't validate the token then the request is invalidated an rejected CSRf protection is needed when the client is requesting protected data using a cookie.</p> <p>Spoofing <code>Origin</code> with cURL is possible and easy but spoofing with a cookie is harder because cURL doesn't have access to the browser cookie directly or remotely.</p> <p>Where possible, consider same-origin requests instead of using CSRF since it's safer.</p> <p>Use something other than a cookie to validate user if building a public API, such as using Oauth2 instead.</p> <h2> Browser support </h2> <p>CORS is fully supported on:</p> <ul> <li>Chrome 3+</li> <li>Firefox 3.5+</li> <li>Safari 4+</li> <li>IE 10+</li> <li>Opera 12+</li> <li>iOS 3.2+</li> <li>Android 2.1+</li> </ul> <h2> Conclusion </h2> <p>We covered a variety of headers around CORS, including:</p> <ul> <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin" rel="noopener noreferrer"><code>Access-Control-Allow-Origin</code></a></li> <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method" rel="noopener noreferrer"><code>Access-Control-Request-Method</code></a></li> <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers" rel="noopener noreferrer"><code>Access-Control-Request-Headers</code></a></li> <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers" rel="noopener noreferrer"><code>Access-Control-Allow-Headers</code></a></li> <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods" rel="noopener noreferrer"><code>Access-Control-Allow-Methods</code></a></li> <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers" rel="noopener noreferrer"><code>Access-Control-Expose-Headers</code></a></li> <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials" rel="noopener noreferrer"><code>Access-Control-Allow-Credentials</code></a></li> <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age" rel="noopener noreferrer"><code>Access-Control-Max-Age</code></a></li> </ul> <p>Questions to ask when adding CORS support:</p> <ul> <li>Why does the server need to support cross-origin requests?</li> <li>Is CORS being added to new service or existing?</li> <li>Which client should have access to the site?</li> <li>What browsers and devices will users be accessing the site from?</li> <li>Which HTTP methods and headers is the server supporting?</li> <li>Should the API support user-specific data? </li> <li>Will cookies be used to authenticate the user?</li> </ul> <p>TLDR;</p> <blockquote> <p><strong>Only allow cross-origin requests if you must absolutely have to and be very explicit about which origins, methods, headers, and credentials are allowed.</strong></p> </blockquote> <p>Resources:</p> <ul> <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS" rel="noopener noreferrer">MDN - Cross-Origin Resource Sharing (CORS)</a></li> <li><a href="https://en.wikipedia.org/wiki/Cross-origin_resource_sharing" rel="noopener noreferrer">Wikipedia - Cross-origin resource sharing</a></li> <li><a href="https://www.test-cors.org/" rel="noopener noreferrer">Webpage to test CORS requests</a></li> <li><a href="https://github.com/expressjs/cors" rel="noopener noreferrer">Node.js CORS middleware</a></li> <li><a href="https://livebook.manning.com/book/cors-in-action/about-this-book/" rel="noopener noreferrer">CORS in Action</a></li> </ul> http cors webdev tutorial Miguel Thu, 13 Dec 2018 10:41:49 +0000 https://dev.to/miguelmota/how-unix-programmers-at-restaurants-search-menus--46ad https://dev.to/miguelmota/how-unix-programmers-at-restaurants-search-menus--46ad <p>A Unix programmer heads over to the local diner to get something to eat for lunch. He, or Bob as he prefers, knows better than to manually scan the entire menu with his eyeballs because it's inefficient. Bob knows that there's a better way to automate the process in searching for what he wants to eat.</p> <p>Last time he was here he had a pretty good pasta-and-shrimp plate for under 10 bucks. </p> <p>Bob wonder's if this same dish is still available. He pops open his laptop running Linux and scrapes the restaurant website menu table into a plain text file. </p> <p><code>menu.txt</code></p> <div class="highlight"><pre class="highlight plaintext"><code>the menu steak burrito $11.95 pasta and shrimp $9.75 caesar salad $6.50 </code></pre></div> <p>Now that Bob has the menu, he does a <code>grep</code> search for the pasta-and-shrimp plate:</p> <div class="highlight"><pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">cat </span>menu.txt | <span class="nb">grep </span>shrimp pasta and shrimp <span class="nv">$9</span>.75 </code></pre></div> <p>So far so good. He filters for the price column by using <code>awk</code> and the <code>NF</code> variable (which is the number of columns fields available) in order to get the last column containing the prices:</p> <div class="highlight"><pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">cat </span>menu.txt | <span class="nb">grep </span>shrimp | <span class="nb">awk</span> <span class="s1">'{print $NF}'</span> <span class="nv">$9</span>.75 </code></pre></div> <p>The starvation is kicking in and he's typing furiously by now. Bob proceeds with <code>sed</code> to turn the dollar amount into an integer by replacing everything except for what's inbetween the dollar symbol and decimal period. He'll use a capturing group and replace the contents with the first capture group <code>\1</code>:</p> <div class="highlight"><pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">cat </span>menu.txt | <span class="nb">grep </span>shrimp | <span class="nb">awk</span> <span class="s1">'{print $NF}'</span> | <span class="nb">sed</span> <span class="nt">-E</span> <span class="s1">'s/\$([0-9]+)\..*/\1/g'</span> 9 </code></pre></div> <p>Finally, using the handy <code>test</code> command and the less-than flag <code>-lt</code>, Bob can check whether the price is less than <code>10</code> with the help of <code>xargs</code> to pipe the value as the first argument to <code>test</code>: </p> <div class="highlight"><pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">cat </span>menu.txt | <span class="nb">grep </span>shrimp | <span class="nb">awk</span> <span class="s1">'{print $NF}'</span> | <span class="nb">sed</span> <span class="nt">-E</span> <span class="s1">'s/\$([0-9]+)\..*/\1/g'</span> | xargs <span class="nt">-I</span> <span class="o">{}</span> <span class="nb">test</span> <span class="o">{}</span> <span class="nt">-lt</span> 10 </code></pre></div> <p>But wait there's no output! Actually, <code>test</code> returns an exit status code of <code>0</code> if the condition passes or <code>1</code> if no match.</p> <p>Bob simply echo's <em>Available</em> if the previous command was successful by using <code>&amp;&amp;</code>, otherwise he'll echo <em>:(</em> by using the double pipe <code>||</code> if it was not successful:</p> <div class="highlight"><pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">cat </span>menu.txt | <span class="nb">grep </span>shrimp | <span class="nb">awk</span> <span class="s1">'{print $NF}'</span> | <span class="nb">sed</span> <span class="nt">-E</span> <span class="s1">'s/\$([0-9]+)\..*/\1/g'</span> | xargs <span class="nt">-I</span> <span class="o">{}</span> <span class="nb">test</span> <span class="o">{}</span> <span class="nt">-lt</span> 10 <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="s1">'Available!'</span> <span class="o">||</span> <span class="nb">echo</span> <span class="s1">':('</span> Available! </code></pre></div> <p>Voila! there it is, the desired pasta-and-shrimp plate is still the under ten bucks. Bob is happy and proceeds to order his favorite dish.</p> <p>(hope you liked this intro post to unix pipes and bash commands!)</p> unix linux commandline comedy