HAProxy CORS setup

Hi all,

I’m trying to follow security guidelines and secure backend application with proper HAProxy headers to allow for safe CORS mechanism. I’m facing a few issues here:

  1. the backend application works on GET requests only, does CORS even work in such scenario? Because I cannot obtain Origin header with requests in the first place
  2. because of the above, the lua plugin for HAProxy 1.8+ is not working, am I missing something or this is indeed true in such scenario? Specifically it is not providing any of the response headers that I setup myself
  3. if I craft an artificial request with Origin header that contains fake protocol://domain:port I’m getting a CORS response from HAProxy, however it defaults to some value that I did not provide in my configuration, it’s always the following settings that seem to be predefined:
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Origin
    Access-Control-Allow-Methods: GET, POST, OPTIONS
    Access-Control-Allow-Origin: *
    Access-Control-Expose-Headers: Date

Please let mw know if there’s anything specifically I should look at. I spent a good amount of time on this topic already and I feel like my options are exhausted at this point.

Best Regards