AWS Cognito 和 CORS 安全问题 [英] AWS Cognito and CORS Security Concern
问题描述
我有一个 Web 客户端通过 AWS API Gateway 向 AWS Lambda 发出请求.我正在使用 AWS Cognito 和 Auth0 对用户进行身份验证.
I have a web client making requests to AWS Lambda via the AWS API Gateway. I'm using AWS Cognito, alongside Auth0, to authenticate users.
我的问题与来自 AWS API 网关端点的 CORS 响应标头有关,特别是设置为任何' * '"的 Access-Control-Allow-Origin 响应标头.本文指出了使用任何'*'"参数的风险,即黑客可以利用我们的站点来请求我们后端的任何方法":(CORS 安全链接).
My question is related to the CORS response headers from the AWS API Gateway endpoint, specifically the Access-Control-Allow-Origin response header that is set to any "' * '". This article indicates the risks of using the any "' * '" parameter, namely that a 'hacker can coopt our site to request any method' on our back-end: (CORS Security link).
虽然 Cognito 的身份验证可以证明提出请求的最终用户就是他所说的那个人,但 Cognito 的身份验证并不一定证明代表用户提出请求的网站是 mywebsite.comstrong> 而不是 attacker.com.
While Cognito's authentication may prove that the end user making the request is who he says he is, Cognito's authentication does not necessarily prove that the website that is making the request on behalf of the user is mywebsite.com rather than attacker.com.
Cognito 是否保证请求来自 mywebsite.com?
是否有一种安全的方法来实现任何' * '"Access-Control-Allow-Origin 响应标头?
推荐答案
Cognito 是否保证请求来自 mywebsite.com?
没有.Cognito 与您的域无关.它只关心用户身份验证/管理.
No. Cognito is agnostic of your domain. All it cares about is user authentication/management.
是否有一种安全的方法来实现任何' * '"Access-Control-Allow-Origin 响应标头?
好吧,是和不是.正如您在帖子中所说,Cognito 将对用户进行身份验证 因此,如果设置了 Access-Control-Allow-Origin '*',则允许任何域发出跨域请求,但如果它们无法提供有效的身份验证令牌,然后他们会收到 401 错误.
Well yes and no. As you said in your post, Cognito will authenticate the user So that means with Access-Control-Allow-Origin '*' set, any domain is allowed to make a Cross Origin request, but if they can't provide a valid authentication token, then they get get a 401 error back.
如果您想限制哪些域可以访问,则不能使用".'' 是一个通配符,因此允许任何值.因此,如果您只想让 mywebsite.com 能够发出 CORS 请求,则将*"替换为mywebsite.com".这使得只允许来自该域的请求.来自attacker.com 的请求现在将失败,因为它们没有正确的标头.
If you want to limit what domain can has access, then you can't use ''. '' is a wildcard and hence allows any value. So if you'd instead like to only have mywebsite.com be able to make a CORS request, then replace the '*' with 'mywebsite.com'. This makes it so only requests from that domain are allowed. Requests from attacker.com will now fail because they won't have the proper headers.
这篇关于AWS Cognito 和 CORS 安全问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
