Steps-For-fixing-CORS-Vulnerability
From Notes_Wiki
Steps for CORS Fixing in Serverbazar.in
Step 1: Create the CORS configuration file
Create a file named force-restrict-cors.conf at the following path:
nano /etc/httpd/conf.d/force-restrict-cors.conf
---
Step 2: Add CORS restriction configuration
Paste the following configuration into the file. This configuration allows requests **only** from the domain serverbazar.in.
<IfModule mod_headers.c>
#################################################################
# REMOVE ANY EXISTING CORS HEADERS (so PHP / WordPress cannot
# reflect arbitrary Origin values)
#################################################################
Header always unset Access-Control-Allow-Origin
Header always unset Access-Control-Allow-Methods
Header always unset Access-Control-Allow-Headers
Header always unset Access-Control-Allow-Credentials
Header always unset Access-Control-Expose-Headers
#################################################################
# ALLOW ONLY https://serverbazar.in and https://www.serverbazar.in
# Optional port allowed (e.g. :443)
#################################################################
SetEnvIfNoCase Origin "^https://(www\.)?serverbazar\.in(:[0-9]+)?$" IS_ALLOWED_ORIGIN
Header always set Access-Control-Allow-Origin "%{HTTP_ORIGIN}e" env=IS_ALLOWED_ORIGIN
Header always set Access-Control-Allow-Methods "GET, POST, OPTIONS" env=IS_ALLOWED_ORIGIN
Header always set Access-Control-Allow-Headers "Authorization, X-WP-Nonce, Content-Type, Content-Disposition, Content-MD5" env=IS_ALLOWED_ORIGIN
# Enable ONLY if cross-site cookies / auth is required
# Header always set Access-Control-Allow-Credentials "true" env=IS_ALLOWED_ORIGIN
</IfModule>
---
Step 3: Verify Apache configuration
Check the Apache configuration for any syntax errors:
httpd -t
---
Step 4: Reload Apache
Reload Apache to apply the changes:
sudo systemctl reload httpd
---
Step 5: Testing
Test with a non-allowed origin
curl -I -H "Origin: https://notallowed.com" https://serverbazar.in/wp-json/
Test with an allowed origin
curl -I -H "Origin: https://serverbazar.in" https://serverbazar.in/wp-json/
