OPTIONS headers disabled on web server (.NET Web API and Angular)
Our company maintains PCI compliance (along with a few others). As part of our most recent security audit it was determined by our infrastructure team and auditors that OPTIONS headers should be completely disabled as it posed a security threat.
We use .NET web APIs (on multiple subdomains) with Angular 6/7 websites. With the OPTIONS headers now disabled, the preflight calls from Angular are rejected and our apps fail at the first API call to another subdomain (e.g., Authentication, which is one of our first functions and lives on auth.mycompany.com with our app on app.mycompany.com).
I've done quite a bit of reading (and would be THRILLED to have someone mark this as a duplicate if it leads to a solution :)) however, I have not been able to find any solutions that would work. Most articles call for white listing valid OPTIONS calls (Why is HTTP Options request insecure and https://security.stackexchange.com/questions/138567/why-should-the-options-method-not-be-allowed-on-an-http-server are two examples) or setting up a proxy on the same subdomain (Preflight CORS requests with Basic Authentication in Angular 2).
My question is, is there a way to configure the OPTIONS header that will allow us to pass our security scans and still allow our CORS calls from Angular?
Thanks in advance for your help!
.net
angular api cors options asked Nov 13 '18 at 16:11
ryanlifferthryanlifferth
65116
add a comment |
Our company maintains PCI compliance (along with a few others). As part of our most recent security audit it was determined by our infrastructure team and auditors that OPTIONS headers should be completely disabled as it posed a security threat.
We use .NET web APIs (on multiple subdomains) with Angular 6/7 websites. With the OPTIONS headers now disabled, the preflight calls from Angular are rejected and our apps fail at the first API call to another subdomain (e.g., Authentication, which is one of our first functions and lives on auth.mycompany.com with our app on app.mycompany.com).
I've done quite a bit of reading (and would be THRILLED to have someone mark this as a duplicate if it leads to a solution :)) however, I have not been able to find any solutions that would work. Most articles call for white listing valid OPTIONS calls (Why is HTTP Options request insecure and https://security.stackexchange.com/questions/138567/why-should-the-options-method-not-be-allowed-on-an-http-server are two examples) or setting up a proxy on the same subdomain (Preflight CORS requests with Basic Authentication in Angular 2).
My question is, is there a way to configure the OPTIONS header that will allow us to pass our security scans and still allow our CORS calls from Angular?
Thanks in advance for your help!
.net
angular api cors options asked Nov 13 '18 at 16:11
ryanlifferthryanlifferth
65116
add a comment |
Our company maintains PCI compliance (along with a few others). As part of our most recent security audit it was determined by our infrastructure team and auditors that OPTIONS headers should be completely disabled as it posed a security threat.
We use .NET web APIs (on multiple subdomains) with Angular 6/7 websites. With the OPTIONS headers now disabled, the preflight calls from Angular are rejected and our apps fail at the first API call to another subdomain (e.g., Authentication, which is one of our first functions and lives on auth.mycompany.com with our app on app.mycompany.com).
I've done quite a bit of reading (and would be THRILLED to have someone mark this as a duplicate if it leads to a solution :)) however, I have not been able to find any solutions that would work. Most articles call for white listing valid OPTIONS calls (Why is HTTP Options request insecure and https://security.stackexchange.com/questions/138567/why-should-the-options-method-not-be-allowed-on-an-http-server are two examples) or setting up a proxy on the same subdomain (Preflight CORS requests with Basic Authentication in Angular 2).
My question is, is there a way to configure the OPTIONS header that will allow us to pass our security scans and still allow our CORS calls from Angular?
Thanks in advance for your help!
.net
angular api cors options asked Nov 13 '18 at 16:11
ryanlifferthryanlifferth
65116
Our company maintains PCI compliance (along with a few others). As part of our most recent security audit it was determined by our infrastructure team and auditors that OPTIONS headers should be completely disabled as it posed a security threat.
We use .NET web APIs (on multiple subdomains) with Angular 6/7 websites. With the OPTIONS headers now disabled, the preflight calls from Angular are rejected and our apps fail at the first API call to another subdomain (e.g., Authentication, which is one of our first functions and lives on auth.mycompany.com with our app on app.mycompany.com).
I've done quite a bit of reading (and would be THRILLED to have someone mark this as a duplicate if it leads to a solution :)) however, I have not been able to find any solutions that would work. Most articles call for white listing valid OPTIONS calls (Why is HTTP Options request insecure and https://security.stackexchange.com/questions/138567/why-should-the-options-method-not-be-allowed-on-an-http-server are two examples) or setting up a proxy on the same subdomain (Preflight CORS requests with Basic Authentication in Angular 2).
My question is, is there a way to configure the OPTIONS header that will allow us to pass our security scans and still allow our CORS calls from Angular?
Thanks in advance for your help!
.net
angular api cors options .net
angular api cors options asked Nov 13 '18 at 16:11
ryanlifferthryanlifferth
65116
asked Nov 13 '18 at 16:11
ryanlifferthryanlifferth
65116
edited Nov 13 '18 at 16:50
ryanlifferth
asked Nov 13 '18 at 16:11
ryanlifferthryanlifferth
65116
asked Nov 13 '18 at 16:11
ryanlifferthryanlifferth
65116
asked Nov 13 '18 at 16:11
ryanlifferthryanlifferth
65116
65116
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Our company maintains PCI compliance (along with a few others). As part of our most recent security audit it was determined by our infrastructure team and auditors that OPTIONS headers should be completely disabled as it posed a security threat.
I agree that a broad block of all OPTIONS across all domains is a valid security default, but they should allow some OPTIONS requests through to the correct servers as it is part of the HTTP specification.
Some security teams block all POST requests as standard practice, and you have to request which POST requests are allowed into the network.
We can't tell you if this is a good policy or not.
My question is, is there a way to configure the OPTIONS header that will allow us to pass our security scans and still allow our CORS calls from Angular?
This is a standard security check done by web browsers when a request is made to another domain. That's something you can't change.
Here is a list of your options at this point
- request that the OPTIONS be allowed for web servers in question. Tell the security team that the servers will be modified to yield OPTIONS responses that are strict in nature and ensure security.
- host the Angular web application on the same domain so that an OPTIONS request is not made by the browser.
- change all the API calls so that only GET requests without a body are made to the APIs (empty GET requests are exempt from OPTIONS pre-flight requests).
- create an API proxy on the same domain as the Angular application, and have the proxy make all the API calls to the other domain (back-end servers don't make OPTIONS requests).
Check with your security team first before implementing any of the above.
answered Nov 13 '18 at 21:01
cgTagcgTag
24.4k864114
Thanks @cgTag, those were many of the same options that we had come up with. I agree with you that our security team should allow some OPTIONS requests to go through. That is why I am curious to know how others in the industry are approaching this issue, if at all. If we allow any OPTIONS requests to go through, our scan would still fail and we would fail our security audit.
– ryanlifferth
Nov 15 '18 at 0:41
1
@ryanlifferth the security team has made some architectural design decisions about software development for you. They've imposed restrictions on what new modern technologies you are allowed to use. OPTIONS is part of the HTML5 new standard for CORS and RESTful APIs. If the corporate policy and culture is to do what the security team says you are allowed to do, then this tells you what kind of technology you are allowed to use. The culture of your company might not be ready for modern Angular and RESTful development. I have seem many corporate businesses that are 10 years behind the times.
– cgTag
Nov 15 '18 at 0:59
1
@chTag - you are exactly right with your comment about the design decisions. Thank you so much for your responses, they confirmed a lot of information I had been gathering and ultimately helped me get to a successful resolution. I am writing up a description of this in case others devs come across similar circumstances. I would bet that this solution is ultimately solved by the browser providers, but for now your answer helped us move forward.
– ryanlifferth
Jan 3 at 20:52
add a comment |
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53285090%2foptions-headers-disabled-on-web-server-net-web-api-and-angular%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Our company maintains PCI compliance (along with a few others). As part of our most recent security audit it was determined by our infrastructure team and auditors that OPTIONS headers should be completely disabled as it posed a security threat.
I agree that a broad block of all OPTIONS across all domains is a valid security default, but they should allow some OPTIONS requests through to the correct servers as it is part of the HTTP specification.
Some security teams block all POST requests as standard practice, and you have to request which POST requests are allowed into the network.
We can't tell you if this is a good policy or not.
My question is, is there a way to configure the OPTIONS header that will allow us to pass our security scans and still allow our CORS calls from Angular?
This is a standard security check done by web browsers when a request is made to another domain. That's something you can't change.
Here is a list of your options at this point
- request that the OPTIONS be allowed for web servers in question. Tell the security team that the servers will be modified to yield OPTIONS responses that are strict in nature and ensure security.
- host the Angular web application on the same domain so that an OPTIONS request is not made by the browser.
- change all the API calls so that only GET requests without a body are made to the APIs (empty GET requests are exempt from OPTIONS pre-flight requests).
- create an API proxy on the same domain as the Angular application, and have the proxy make all the API calls to the other domain (back-end servers don't make OPTIONS requests).
Check with your security team first before implementing any of the above.
answered Nov 13 '18 at 21:01
cgTagcgTag
24.4k864114
Thanks @cgTag, those were many of the same options that we had come up with. I agree with you that our security team should allow some OPTIONS requests to go through. That is why I am curious to know how others in the industry are approaching this issue, if at all. If we allow any OPTIONS requests to go through, our scan would still fail and we would fail our security audit.
– ryanlifferth
Nov 15 '18 at 0:41
1
@ryanlifferth the security team has made some architectural design decisions about software development for you. They've imposed restrictions on what new modern technologies you are allowed to use. OPTIONS is part of the HTML5 new standard for CORS and RESTful APIs. If the corporate policy and culture is to do what the security team says you are allowed to do, then this tells you what kind of technology you are allowed to use. The culture of your company might not be ready for modern Angular and RESTful development. I have seem many corporate businesses that are 10 years behind the times.
– cgTag
Nov 15 '18 at 0:59
1
@chTag - you are exactly right with your comment about the design decisions. Thank you so much for your responses, they confirmed a lot of information I had been gathering and ultimately helped me get to a successful resolution. I am writing up a description of this in case others devs come across similar circumstances. I would bet that this solution is ultimately solved by the browser providers, but for now your answer helped us move forward.
– ryanlifferth
Jan 3 at 20:52
add a comment |
Our company maintains PCI compliance (along with a few others). As part of our most recent security audit it was determined by our infrastructure team and auditors that OPTIONS headers should be completely disabled as it posed a security threat.
I agree that a broad block of all OPTIONS across all domains is a valid security default, but they should allow some OPTIONS requests through to the correct servers as it is part of the HTTP specification.
Some security teams block all POST requests as standard practice, and you have to request which POST requests are allowed into the network.
We can't tell you if this is a good policy or not.
My question is, is there a way to configure the OPTIONS header that will allow us to pass our security scans and still allow our CORS calls from Angular?
This is a standard security check done by web browsers when a request is made to another domain. That's something you can't change.
Here is a list of your options at this point
- request that the OPTIONS be allowed for web servers in question. Tell the security team that the servers will be modified to yield OPTIONS responses that are strict in nature and ensure security.
- host the Angular web application on the same domain so that an OPTIONS request is not made by the browser.
- change all the API calls so that only GET requests without a body are made to the APIs (empty GET requests are exempt from OPTIONS pre-flight requests).
- create an API proxy on the same domain as the Angular application, and have the proxy make all the API calls to the other domain (back-end servers don't make OPTIONS requests).
Check with your security team first before implementing any of the above.
answered Nov 13 '18 at 21:01
cgTagcgTag
24.4k864114
Thanks @cgTag, those were many of the same options that we had come up with. I agree with you that our security team should allow some OPTIONS requests to go through. That is why I am curious to know how others in the industry are approaching this issue, if at all. If we allow any OPTIONS requests to go through, our scan would still fail and we would fail our security audit.
– ryanlifferth
Nov 15 '18 at 0:41
1
@ryanlifferth the security team has made some architectural design decisions about software development for you. They've imposed restrictions on what new modern technologies you are allowed to use. OPTIONS is part of the HTML5 new standard for CORS and RESTful APIs. If the corporate policy and culture is to do what the security team says you are allowed to do, then this tells you what kind of technology you are allowed to use. The culture of your company might not be ready for modern Angular and RESTful development. I have seem many corporate businesses that are 10 years behind the times.
– cgTag
Nov 15 '18 at 0:59
1
@chTag - you are exactly right with your comment about the design decisions. Thank you so much for your responses, they confirmed a lot of information I had been gathering and ultimately helped me get to a successful resolution. I am writing up a description of this in case others devs come across similar circumstances. I would bet that this solution is ultimately solved by the browser providers, but for now your answer helped us move forward.
– ryanlifferth
Jan 3 at 20:52
add a comment |
Our company maintains PCI compliance (along with a few others). As part of our most recent security audit it was determined by our infrastructure team and auditors that OPTIONS headers should be completely disabled as it posed a security threat.
I agree that a broad block of all OPTIONS across all domains is a valid security default, but they should allow some OPTIONS requests through to the correct servers as it is part of the HTTP specification.
Some security teams block all POST requests as standard practice, and you have to request which POST requests are allowed into the network.
We can't tell you if this is a good policy or not.
My question is, is there a way to configure the OPTIONS header that will allow us to pass our security scans and still allow our CORS calls from Angular?
This is a standard security check done by web browsers when a request is made to another domain. That's something you can't change.
Here is a list of your options at this point
- request that the OPTIONS be allowed for web servers in question. Tell the security team that the servers will be modified to yield OPTIONS responses that are strict in nature and ensure security.
- host the Angular web application on the same domain so that an OPTIONS request is not made by the browser.
- change all the API calls so that only GET requests without a body are made to the APIs (empty GET requests are exempt from OPTIONS pre-flight requests).
- create an API proxy on the same domain as the Angular application, and have the proxy make all the API calls to the other domain (back-end servers don't make OPTIONS requests).
Check with your security team first before implementing any of the above.
answered Nov 13 '18 at 21:01
cgTagcgTag
24.4k864114
Our company maintains PCI compliance (along with a few others). As part of our most recent security audit it was determined by our infrastructure team and auditors that OPTIONS headers should be completely disabled as it posed a security threat.
I agree that a broad block of all OPTIONS across all domains is a valid security default, but they should allow some OPTIONS requests through to the correct servers as it is part of the HTTP specification.
Some security teams block all POST requests as standard practice, and you have to request which POST requests are allowed into the network.
We can't tell you if this is a good policy or not.
My question is, is there a way to configure the OPTIONS header that will allow us to pass our security scans and still allow our CORS calls from Angular?
This is a standard security check done by web browsers when a request is made to another domain. That's something you can't change.
Here is a list of your options at this point
- request that the OPTIONS be allowed for web servers in question. Tell the security team that the servers will be modified to yield OPTIONS responses that are strict in nature and ensure security.
- host the Angular web application on the same domain so that an OPTIONS request is not made by the browser.
- change all the API calls so that only GET requests without a body are made to the APIs (empty GET requests are exempt from OPTIONS pre-flight requests).
- create an API proxy on the same domain as the Angular application, and have the proxy make all the API calls to the other domain (back-end servers don't make OPTIONS requests).
Check with your security team first before implementing any of the above.
answered Nov 13 '18 at 21:01
cgTagcgTag
24.4k864114
answered Nov 13 '18 at 21:01
cgTagcgTag
24.4k864114
answered Nov 13 '18 at 21:01
cgTagcgTag
24.4k864114
answered Nov 13 '18 at 21:01
cgTagcgTag
24.4k864114
24.4k864114
Thanks @cgTag, those were many of the same options that we had come up with. I agree with you that our security team should allow some OPTIONS requests to go through. That is why I am curious to know how others in the industry are approaching this issue, if at all. If we allow any OPTIONS requests to go through, our scan would still fail and we would fail our security audit.
– ryanlifferth
Nov 15 '18 at 0:41
1
@ryanlifferth the security team has made some architectural design decisions about software development for you. They've imposed restrictions on what new modern technologies you are allowed to use. OPTIONS is part of the HTML5 new standard for CORS and RESTful APIs. If the corporate policy and culture is to do what the security team says you are allowed to do, then this tells you what kind of technology you are allowed to use. The culture of your company might not be ready for modern Angular and RESTful development. I have seem many corporate businesses that are 10 years behind the times.
– cgTag
Nov 15 '18 at 0:59
1
@chTag - you are exactly right with your comment about the design decisions. Thank you so much for your responses, they confirmed a lot of information I had been gathering and ultimately helped me get to a successful resolution. I am writing up a description of this in case others devs come across similar circumstances. I would bet that this solution is ultimately solved by the browser providers, but for now your answer helped us move forward.
– ryanlifferth
Jan 3 at 20:52
add a comment |
Thanks @cgTag, those were many of the same options that we had come up with. I agree with you that our security team should allow some OPTIONS requests to go through. That is why I am curious to know how others in the industry are approaching this issue, if at all. If we allow any OPTIONS requests to go through, our scan would still fail and we would fail our security audit.
– ryanlifferth
Nov 15 '18 at 0:41
1
@ryanlifferth the security team has made some architectural design decisions about software development for you. They've imposed restrictions on what new modern technologies you are allowed to use. OPTIONS is part of the HTML5 new standard for CORS and RESTful APIs. If the corporate policy and culture is to do what the security team says you are allowed to do, then this tells you what kind of technology you are allowed to use. The culture of your company might not be ready for modern Angular and RESTful development. I have seem many corporate businesses that are 10 years behind the times.
– cgTag
Nov 15 '18 at 0:59
1
@chTag - you are exactly right with your comment about the design decisions. Thank you so much for your responses, they confirmed a lot of information I had been gathering and ultimately helped me get to a successful resolution. I am writing up a description of this in case others devs come across similar circumstances. I would bet that this solution is ultimately solved by the browser providers, but for now your answer helped us move forward.
– ryanlifferth
Jan 3 at 20:52
Thanks @cgTag, those were many of the same options that we had come up with. I agree with you that our security team should allow some OPTIONS requests to go through. That is why I am curious to know how others in the industry are approaching this issue, if at all. If we allow any OPTIONS requests to go through, our scan would still fail and we would fail our security audit.
– ryanlifferth
Nov 15 '18 at 0:41
Thanks @cgTag, those were many of the same options that we had come up with. I agree with you that our security team should allow some OPTIONS requests to go through. That is why I am curious to know how others in the industry are approaching this issue, if at all. If we allow any OPTIONS requests to go through, our scan would still fail and we would fail our security audit.
– ryanlifferth
Nov 15 '18 at 0:41
1
1
@ryanlifferth the security team has made some architectural design decisions about software development for you. They've imposed restrictions on what new modern technologies you are allowed to use. OPTIONS is part of the HTML5 new standard for CORS and RESTful APIs. If the corporate policy and culture is to do what the security team says you are allowed to do, then this tells you what kind of technology you are allowed to use. The culture of your company might not be ready for modern Angular and RESTful development. I have seem many corporate businesses that are 10 years behind the times.
– cgTag
Nov 15 '18 at 0:59
@ryanlifferth the security team has made some architectural design decisions about software development for you. They've imposed restrictions on what new modern technologies you are allowed to use. OPTIONS is part of the HTML5 new standard for CORS and RESTful APIs. If the corporate policy and culture is to do what the security team says you are allowed to do, then this tells you what kind of technology you are allowed to use. The culture of your company might not be ready for modern Angular and RESTful development. I have seem many corporate businesses that are 10 years behind the times.
– cgTag
Nov 15 '18 at 0:59
1
1
@chTag - you are exactly right with your comment about the design decisions. Thank you so much for your responses, they confirmed a lot of information I had been gathering and ultimately helped me get to a successful resolution. I am writing up a description of this in case others devs come across similar circumstances. I would bet that this solution is ultimately solved by the browser providers, but for now your answer helped us move forward.
– ryanlifferth
Jan 3 at 20:52
@chTag - you are exactly right with your comment about the design decisions. Thank you so much for your responses, they confirmed a lot of information I had been gathering and ultimately helped me get to a successful resolution. I am writing up a description of this in case others devs come across similar circumstances. I would bet that this solution is ultimately solved by the browser providers, but for now your answer helped us move forward.
– ryanlifferth
Jan 3 at 20:52
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53285090%2foptions-headers-disabled-on-web-server-net-web-api-and-angular%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
