Monday, July 30, 2018

security - Returning "200 OK" in Apache on HTTP OPTIONS requests




I'm attempting to implement cross-domain HTTP access control without touching any code.



I've got my Apache(2) server returning the correct Access Control headers with this block:



Header set Access-Control-Allow-Origin "*"                   
Header set Access-Control-Allow-Methods "POST, GET, OPTIONS"


I now need to prevent Apache from executing my code when the browser sends a HTTP OPTIONS request (it's stored in the REQUEST_METHOD environment variable), returning 200 OK.




How can I configure Apache to respond "200 OK" when the request method is OPTIONS?



I've tried this mod_rewrite block, but the Access Control headers are lost.



RewriteEngine On                  
RewriteCond %{REQUEST_METHOD} OPTIONS 
RewriteRule ^(.*)$ $1 [R=200,L]

Answer




You're adding a header to a non-success (non-2xx) response, such as a redirect, in which case only the table corresponding to always is used in the ultimate response.



Correct "Header set":



Header always set Access-Control-Allow-Origin "*"                   
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS"

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...