Hi all,
I’m trying to follow security guidelines and secure backend application with proper HAProxy headers to allow for safe CORS mechanism. I’m facing a few issues here:
- the backend application works on GET requests only, does CORS even work in such scenario? Because I cannot obtain Origin header with requests in the first place
- because of the above, the lua plugin for HAProxy 1.8+ is not working, am I missing something or this is indeed true in such scenario? Specifically it is not providing any of the response headers that I setup myself
- if I craft an artificial request with Origin header that contains fake protocol://domain:port I’m getting a CORS response from HAProxy, however it defaults to some value that I did not provide in my configuration, it’s always the following settings that seem to be predefined:
Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Origin
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Date
Please let mw know if there’s anything specifically I should look at. I spent a good amount of time on this topic already and I feel like my options are exhausted at this point.
Best Regards