What is CORS? How does it help with API Security?
If I tell you that CORS stands for Cross Origin Resource Sharing, it might sound too technical.
So let me break it down with a simple example.
Imagine you are at a restaurant, want to order something for you. You will place your order with a waiter, who will do something and get the thing done for you. Right? You don’t go directly to the kitchen and read your order to the chef there!
But imagine, if people go straight to the back kitchen and read their orders to the chef. Two things may happen -
1. The chef may be overwhelmed with all the list of orders, that he may collapse without cooking.
2. The chef may run into unwanted orders, which he may prepare and provide by mistake.
In both the cases, the kitchen is made open for any unwanted/unexpected thing to happen.
So what is the solution here? The waiter.
Subconsciously, a waiter is restricting you from going to the kitchen and ordering the chef directly, and also making sure that your order is valid (generally by means of a token or a receipt).
In system design, where you have a front-end, a back-end, middlewares, data stores, queues etc., each working in its own network, It is absolutely necessary to restrict unwanted access. One way to do it, it to allow requests from only those origins (sources) which are well-known to the back-end.
A front-end works in its own domain (say www(dot)mycook(dot)com), and it requests API to place orders (www(dot)api(dot)mycook(dot)com).
The back-end is wired such that no other request that comes apart from (www(dot)mycook(dot)com) is allowed to access it, and any such effort is forbidden.
This access via different domains (www(dot)mycook(dot)com ➡️ www(dot)api(dot)mycook(dot)com) is called Cross-Origin-Resource-Sharing or CORS.
If a request fails due to not being allowed access, it throws a Preflight Request Failed and doesn’t allow the request to move forward.
What is a Preflight request?
In API interactions, a Cross-Origin client browser will first make a call to the API resource it wants to hit. This is an automatic call and is of OPTIONS verb.
We call it, a preflight request.
The API then returns all the allowed calls for the client and also tells it whether the request it is about make is going to be accepted or not.
If the request is not going to work, this OPTIONS request fails with a “preflight request failure” exception.
How does CORS help?
1. CORS helps us block unwanted access to network (servers, queues, storage etc.) resources
2. CORS helps us allow fine-grained access to resources (by domain, method, headers etc.)
3. Every framework has its own implementation of CORS, you just need to use the respective library
For example, ASP.NET Core has a CORS middleware that you need to configure before allowing a API resource to be accessed.
Similarly ExpressJS also has a cors() middleware that needs to be added before endpoints are built.
Remember this, if CORS is not configured, then the API will reject Cross-Origin requests by default.
That’s all about CORS. Hope this gives you a better understanding of this concept. Please share it with your friends.
What other concepts you want me to cover? Please do comment down.
#api #development #cors #security #design #share #data
