jujudellago
PRO
said over 3 years ago
on
Cross-Origin Resource Sharing (CORS)
:
As I was struggling to secure my rails app, I thought this tutorial come right on time, unfortunately I'm still having a crucial problem.
While I could follow the steps, and configure rack-cors to allow requests from specific domains, what I really need to do now is make sure only my app can call the pages such as that /users.json. With rack-cors I can avoid other websites calling my site, but how can I avoid people calling the pages via curl for example ?
I wrote ruby wrappers to call other apis so that I would not expose my credentials in the javascript calls, so now my credentials are hidden, but I build access points who are totally opened to the world, even easier to use than the original API's as they don't require authentication....
I thought adding "protect_from_forgery" in the controller should take care of this but it has no effect.
is there a way to secure get requests as such ? or do I need to rewrite my app to use posts instead ? I'm a bit lost because I learned this process following this other tutorial
https://www.driftingruby.com/episodes/deeper-dive-into-stimulusjs
While I could follow the steps, and configure rack-cors to allow requests from specific domains, what I really need to do now is make sure only my app can call the pages such as that /users.json. With rack-cors I can avoid other websites calling my site, but how can I avoid people calling the pages via curl for example ?
I wrote ruby wrappers to call other apis so that I would not expose my credentials in the javascript calls, so now my credentials are hidden, but I build access points who are totally opened to the world, even easier to use than the original API's as they don't require authentication....
I thought adding "protect_from_forgery" in the controller should take care of this but it has no effect.
is there a way to secure get requests as such ? or do I need to rewrite my app to use posts instead ? I'm a bit lost because I learned this process following this other tutorial
https://www.driftingruby.com/episodes/deeper-dive-into-stimulusjs