View source for Steps-For-fixing-CORS-Vulnerability

= Steps for CORS Fixing in Serverbazar.in =

== Step 1: Create the CORS configuration file ==
Create a file named '''force-restrict-cors.conf''' at the following path:

<syntaxhighlight lang="bash">
nano /etc/httpd/conf.d/force-restrict-cors.conf
</syntaxhighlight>

---

== Step 2: Add CORS restriction configuration ==
Paste the following configuration into the file.  
This configuration allows requests **only** from the domain '''serverbazar.in'''.

<syntaxhighlight lang="apache">
<IfModule mod_headers.c>

 #################################################################
 # REMOVE ANY EXISTING CORS HEADERS (so PHP / WordPress cannot
 # reflect arbitrary Origin values)
 #################################################################

 Header always unset Access-Control-Allow-Origin
 Header always unset Access-Control-Allow-Methods
 Header always unset Access-Control-Allow-Headers
 Header always unset Access-Control-Allow-Credentials
 Header always unset Access-Control-Expose-Headers

 #################################################################
 # ALLOW ONLY https://serverbazar.in and https://www.serverbazar.in
 # Optional port allowed (e.g. :443)
 #################################################################

 SetEnvIfNoCase Origin "^https://(www\.)?serverbazar\.in(:[0-9]+)?$" IS_ALLOWED_ORIGIN

 Header always set Access-Control-Allow-Origin "%{HTTP_ORIGIN}e" env=IS_ALLOWED_ORIGIN
 Header always set Access-Control-Allow-Methods "GET, POST, OPTIONS" env=IS_ALLOWED_ORIGIN
 Header always set Access-Control-Allow-Headers "Authorization, X-WP-Nonce, Content-Type, Content-Disposition, Content-MD5" env=IS_ALLOWED_ORIGIN

 # Enable ONLY if cross-site cookies / auth is required
 # Header always set Access-Control-Allow-Credentials "true" env=IS_ALLOWED_ORIGIN

</IfModule>
</syntaxhighlight>

---

== Step 3: Verify Apache configuration ==
Check the Apache configuration for any syntax errors:

<syntaxhighlight lang="bash">
httpd -t
</syntaxhighlight>

---

== Step 4: Reload Apache ==
Reload Apache to apply the changes:

<syntaxhighlight lang="bash">
sudo systemctl reload httpd
</syntaxhighlight>

---

== Step 5: Testing ==

=== Test with a non-allowed origin ===
<syntaxhighlight lang="bash">
curl -I -H "Origin: https://notallowed.com" https://serverbazar.in/wp-json/
</syntaxhighlight>

=== Test with an allowed origin ===
<syntaxhighlight lang="bash">
curl -I -H "Origin: https://serverbazar.in" https://serverbazar.in/wp-json/
</syntaxhighlight>