AWS Cognito和CORS安全问题 [英] AWS Cognito and CORS Security Concern
问题描述
我有一个Web客户端通过AWS API Gateway向AWS Lambda发出请求。我正在使用AWS Cognito和Auth0来对用户进行身份验证。
I have a web client making requests to AWS Lambda via the AWS API Gateway. I'm using AWS Cognito, alongside Auth0, to authenticate users.
我的问题与AWS API Gateway端点(特别是Access-Control)的CORS响应标头有关-Allow-Origin响应标头设置为任何'*'。本文指出了在后端使用任何'*'参数的风险,即黑客可以选择我们的网站请求任何方法:( CORS安全性链接)。
My question is related to the CORS response headers from the AWS API Gateway endpoint, specifically the Access-Control-Allow-Origin response header that is set to any "' * '". This article indicates the risks of using the any "' * '" parameter, namely that a 'hacker can coopt our site to request any method' on our back-end: (CORS Security link).
虽然Cognito的身份验证可能为了证明发出请求的最终用户就是他所说的身份,Cognito的身份验证不一定证明代表用户发出请求的网站是 mywebsite.com 而不是 Attacker.com 。
While Cognito's authentication may prove that the end user making the request is who he says he is, Cognito's authentication does not necessarily prove that the website that is making the request on behalf of the user is mywebsite.com rather than attacker.com.
Cognito是否保证请求来自mywebsite.com?
是否存在实现任何'*' Access-Control-Allow-Origin响应标头的安全方法?
推荐答案
Cognito是否保证该请求来自mywebsite.com?
否。 Cognito与您的域无关。它关心的只是用户身份验证/管理。
No. Cognito is agnostic of your domain. All it cares about is user authentication/management.
是否存在一种安全的方法来实现任何'*' Access-Control-Allow-Origin响应标题?
是的也没有。如您在帖子中所说,Cognito将对用户进行身份验证,这意味着在设置了Access-Control-Allow-Origin'*'后,任何域都可以发出跨源请求,但是如果他们不能提供有效的身份验证令牌, ,那么他们就会收到401错误。
Well yes and no. As you said in your post, Cognito will authenticate the user So that means with Access-Control-Allow-Origin '*' set, any domain is allowed to make a Cross Origin request, but if they can't provide a valid authentication token, then they get get a 401 error back.
如果您想限制可以访问的域,则不能使用''。 是通配符,因此可以使用任何值。因此,如果您只希望mywebsite.com能够发出CORS请求,则将 *替换为 mywebsite.com。这使得它仅允许来自该域的请求。来自Attacker.com的请求现在将失败,因为它们没有正确的标题。
If you want to limit what domain can has access, then you can't use ''. '' is a wildcard and hence allows any value. So if you'd instead like to only have mywebsite.com be able to make a CORS request, then replace the '*' with 'mywebsite.com'. This makes it so only requests from that domain are allowed. Requests from attacker.com will now fail because they won't have the proper headers.
这篇关于AWS Cognito和CORS安全问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
