CORS跨域资源共享安全配置指南<\/h1>

1. CORS基础概念<\/h2>

1.1 CORS定义<\/h3>
CORS全称"跨域资源共享"(Cross-origin resource sharing)，是一种用于绕过SOP(同源策略)来实现跨域资源访问的技术。<\/p>

1.2 CORS与SOP的关系<\/h3>

SOP(同源策略)限制了网页的业务需求，不能使不同域的网页互相访问<\/li>

CORS的出现是为了弥补SOP的不足<\/li> <\/ul>

1.3 CORS漏洞<\/h3>
攻击者利用CORS技术获取用户敏感数据，导致信息泄露的安全问题。<\/p>

2. CORS漏洞验证方法<\/h2>

使用curl命令验证CORS配置：<\/p>

curl -vv -H "Origin: http:\/\/hack<\/span>${<\/span>你的域名}<\/span>"<\/span> http:\/\/${<\/span>你的域名}<\/span>
<\/span><\/span><\/code><\/pre>示例：<\/p>
curl -vv -H "Origin: http:\/\/hackbaidu.com"<\/span> http:\/\/xxxx.baidu.com
<\/span><\/span><\/code><\/pre>判断标准<\/strong>：<\/p>

如果Access-Control-Allow-Origin<\/code>返回*<\/code>或http:\/\/hackbaidu.com<\/code>，则存在漏洞<\/li>
如果未返回Access-Control-Allow-Origin<\/code>头，则不存在漏洞<\/li>
<\/ul>
3. CORS安全配置方案<\/h2>
3.1 代码层面配置<\/h3>
3.1.1 单个Controller配置（Spring框架）<\/h4>
@CrossOrigin<\/span>(<\/span>origins =<\/span> {<\/span>"http:\/\/localhost:9000"<\/span>,<\/span> "http:\/\/www.baidu.com"<\/span>})<\/span>
<\/span><\/span>@RequestMapping<\/span>(<\/span>"\/testCors.do"<\/span>)<\/span>
<\/span><\/span>public<\/span> @ResponseBody<\/span> String CORSTest<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response)<\/span> {<\/span>
<\/span><\/span>    String map =<\/span> "no_pass"<\/span>;<\/span>
<\/span><\/span>    String origin =<\/span> request.<\/span>getHeader<\/span>(<\/span>"Origin"<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    if<\/span>(<\/span>origin !=<\/span> null<\/span>){<\/span>
<\/span><\/span>        String safeOrigin =<\/span> SecurityUtil.<\/span>getSafeUrl<\/span>(<\/span>origin);<\/span>
<\/span><\/span>        if<\/span>(<\/span>safeOrigin !=<\/span> null<\/span>){<\/span>
<\/span><\/span>            map =<\/span> "pass"<\/span>;<\/span>
<\/span><\/span>            response.<\/span>setHeader<\/span>(<\/span>"Access-Control-Allow-Origin"<\/span>,<\/span> safeOrigin);<\/span>
<\/span><\/span>            response.<\/span>setContentType<\/span>(<\/span>"application\/json;charset=UTF-8"<\/span>);<\/span>
<\/span><\/span>            response.<\/span>setHeader<\/span>(<\/span>"Access-Control-Allow-Methods"<\/span>,<\/span> "POST, GET, OPTIONS, DELETE"<\/span>);<\/span>
<\/span><\/span>            response.<\/span>setHeader<\/span>(<\/span>"Access-Control-Max-Age"<\/span>,<\/span> "3600"<\/span>);<\/span>
<\/span><\/span>            response.<\/span>setHeader<\/span>(<\/span>"Access-Control-Allow-Headers"<\/span>,<\/span> "Origin, No-Cache, X-Requested-With, If-Modified-Since, Pragma, Last-Modified, Cache-Control, Expires, Content-Type, X-E4M-With,userId,token"<\/span>);<\/span>
<\/span><\/span>            response.<\/span>setHeader<\/span>(<\/span>"Access-Control-Allow-Credentials"<\/span>,<\/span> "true"<\/span>);<\/span>
<\/span><\/span>            response.<\/span>setHeader<\/span>(<\/span>"XDomainRequestAllowed"<\/span>,<\/span>"1"<\/span>);<\/span>
<\/span><\/span>        }<\/span> else<\/span>{<\/span>
<\/span><\/span>            map =<\/span> "checked_no_pass"<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span> else<\/span>{<\/span>
<\/span><\/span>        map =<\/span> "pass"<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> map;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>关键点<\/strong>：<\/p>

不允许使用通配符*<\/code>配置<\/li>
只设置需要跨域的接口<\/li>
对origin来源进行严格验证<\/li>
<\/ul>
3.1.2 全局Controller配置<\/h4>
方式一：Java Bean注解配置<\/strong><\/p>
@Configuration<\/span>
<\/span><\/span>public<\/span> class<\/span> MyConfiguration<\/span> {<\/span>
<\/span><\/span>    @Bean<\/span>
<\/span><\/span>    public<\/span> FilterRegistrationBean corsFilter<\/span>()<\/span> {<\/span>
<\/span><\/span>        UrlBasedCorsConfigurationSource source =<\/span> new<\/span> UrlBasedCorsConfigurationSource();<\/span>
<\/span><\/span>        CorsConfiguration config =<\/span> new<\/span> CorsConfiguration();<\/span>
<\/span><\/span>        config.<\/span>setAllowCredentials<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        config.<\/span>addAllowedOrigin<\/span>(<\/span>"http:\/\/domain1.com"<\/span>);<\/span>
<\/span><\/span>        config.<\/span>addAllowedHeader<\/span>(<\/span>"*"<\/span>);<\/span>
<\/span><\/span>        config.<\/span>addAllowedMethod<\/span>(<\/span>"*"<\/span>);<\/span>
<\/span><\/span>        source.<\/span>registerCorsConfiguration<\/span>(<\/span>"\/**"<\/span>,<\/span> config);<\/span>
<\/span><\/span>        FilterRegistrationBean bean =<\/span> new<\/span> FilterRegistrationBean(<\/span>new<\/span> CorsFilter(<\/span>source));<\/span>
<\/span><\/span>        bean.<\/span>setOrder<\/span>(<\/span>0<\/span>);<\/span>
<\/span><\/span>        return<\/span> bean;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>方式二：XML配置<\/strong><\/p>
<!-- support cors--><\/span>
<\/span><\/span><filter><\/span>
<\/span><\/span>    <filter-name><\/span>CorsFilter<\/filter-name><\/span>
<\/span><\/span>    <filter-class><\/span>org.apache.catalina.filters.CorsFilter<\/filter-class><\/span>
<\/span><\/span>    <init-param><\/span>
<\/span><\/span>        <param-name><\/span>cors.allowed.headers<\/param-name><\/span>
<\/span><\/span>        <param-value><\/span>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,xsrf-token<\/param-value><\/span>
<\/span><\/span>    <\/init-param><\/span>
<\/span><\/span><\/filter><\/span>
<\/span><\/span><filter-mapping><\/span>
<\/span><\/span>    <filter-name><\/span>CorsFilter<\/filter-name><\/span>
<\/span><\/span>    <url-pattern><\/span>www.test.com<\/url-pattern><\/span>
<\/span><\/span><\/filter-mapping><\/span>
<\/span><\/span><\/code><\/pre>3.2 Nginx配置方案<\/h3>
set<\/span> $cors_origin ""<\/span>;
<\/span><\/span>if<\/span> (<\/span>$http_origin ~*<\/span> "^http:\/\/127.0.0.1<\/span>$")<\/span> {
<\/span><\/span>    set<\/span> $cors_origin $http_origin;
<\/span><\/span>}
<\/span><\/span>if<\/span> (<\/span>$http_origin ~*<\/span> "^http:\/\/localhost<\/span>$")<\/span> {
<\/span><\/span>    set<\/span> $cors_origin $http_origin;
<\/span><\/span>}
<\/span><\/span>add_header<\/span> Access-Control-Allow-Origin<\/span> $cors_origin;
<\/span><\/span>
<\/span><\/span>location<\/span> \/<\/span> {
<\/span><\/span>    if<\/span> (<\/span>$request_method = 'OPTIONS')<\/span> {
<\/span><\/span>        add_header<\/span> Access-Control-Allow-Origin<\/span> $cors_origin;
<\/span><\/span>        add_header<\/span> Access-Control-Allow-Methods<\/span> GET,POST,PUT,DELETE,OPTIONS<\/span>;
<\/span><\/span>        return<\/span> 204<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>注意事项<\/strong>：<\/p>

不要同时在Nginx和后端代码中配置CORS，会导致跨域配置失败<\/li>
浏览器会收到两个Access-Control-Allow-Origin<\/code>头，导致错误<\/li>
<\/ul>
3.3 Kubernetes Ingress配置（YAML方案）<\/h3>
apiVersion<\/span>: networking.k8s.io\/v1<\/span>
<\/span><\/span>kind<\/span>: Ingress<\/span>
<\/span><\/span>metadata<\/span>:
<\/span><\/span>  name<\/span>: example-ingress<\/span>
<\/span><\/span>  annotations<\/span>:
<\/span><\/span>    nginx.ingress.kubernetes.io\/rewrite-target<\/span>: \/<\/span>
<\/span><\/span>    nginx.ingress.kubernetes.io\/configuration-snippet<\/span>: |
<\/span><\/span><\/span>      set $allow_cors "";
<\/span><\/span><\/span>      if ($http_origin ~ "^https?:\/\/([a-zA-Z0-9.-]+\.)?test\.com(:\d+)?$") {
<\/span><\/span><\/span>        set $allow_cors "true";
<\/span><\/span><\/span>      }
<\/span><\/span><\/span>      more_set_headers 'Access-Control-Allow-Origin: $allow_cors';<\/span>      
<\/span><\/span>spec<\/span>:
<\/span><\/span>  rules<\/span>:
<\/span><\/span>    - host<\/span>: your.host.example.com<\/span>
<\/span><\/span>      http<\/span>:
<\/span><\/span>        paths<\/span>:
<\/span><\/span>          - path<\/span>: \/<\/span>
<\/span><\/span>            pathType<\/span>: Prefix<\/span>
<\/span><\/span>            backend<\/span>:
<\/span><\/span>              service<\/span>:
<\/span><\/span>                name<\/span>: your-service-name<\/span>
<\/span><\/span>                port<\/span>:
<\/span><\/span>                  name<\/span>: http<\/span>
<\/span><\/span><\/code><\/pre>4. 跨域测试方案<\/h2>
在浏览器开发者控制台执行以下JavaScript代码测试：<\/p>
var<\/span> xhr<\/span> =<\/span> new<\/span> XMLHttpRequest<\/span>();
<\/span><\/span>xhr<\/span>.open<\/span>('GET'<\/span>, 'https:\/\/www.xxx.com\/api\/action'<\/span>);
<\/span><\/span>xhr<\/span>.send<\/span>(null<\/span>);
<\/span><\/span>xhr<\/span>.onload<\/span> =<\/span> function<\/span>(e<\/span>) {
<\/span><\/span>    var<\/span> xhr<\/span> =<\/span> e<\/span>.target<\/span>;
<\/span><\/span>    console<\/span>.log<\/span>(xhr<\/span>.responseText<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>结果分析<\/strong>：<\/p>

请求超时：网络不通或地址无效<\/li>
正常返回：支持跨域<\/li>
返回错误：不支持跨域<\/li>
<\/ol>
5. 安全配置最佳实践<\/h2>


白名单原则<\/strong>：<\/p>

只设置企业内部需要的域名<\/li>
不允许使用通配符*<\/code>配置<\/li>
具体域名不使用任何通配符（如*.test.com<\/code>一级域名不能被统配）<\/li>
<\/ul>
<\/li>

配置层级选择<\/strong>：<\/p>

只在一个地方配置CORS（Nginx或后端代码）<\/li>
避免多层配置导致冲突<\/li>
<\/ul>
<\/li>

敏感接口保护<\/strong>：<\/p>

CORS和JSONP接口不开放给外部调用<\/li>
白名单内只设置企业内部域名<\/li>
<\/ul>
<\/li>

黑白盒结合测试<\/strong>：<\/p>

代码扫描可能无法发现Nginx层的配置问题<\/li>
必须进行黑盒测试验证实际效果<\/li>
<\/ul>
<\/li>
<\/ol>

CORS跨域资源共享安全配置指南<\/h1>

1. CORS基础概念<\/h2>

1.1 CORS定义<\/h3> CORS全称"跨域资源共享"(Cross-origin resource sharing)，是一种用于绕过SOP(同源策略)来实现跨域资源访问的技术。<\/p>

1.3 CORS漏洞<\/h3> 攻击者利用CORS技术获取用户敏感数据，导致信息泄露的安全问题。<\/p>

3. CORS安全配置方案<\/h2>

3.1 代码层面配置<\/h3>

1.1 CORS定义<\/h3>
CORS全称"跨域资源共享"(Cross-origin resource sharing)，是一种用于绕过SOP(同源策略)来实现跨域资源访问的技术。<\/p>

1.3 CORS漏洞<\/h3>
攻击者利用CORS技术获取用户敏感数据，导致信息泄露的安全问题。<\/p>