As a Galasa Ecosystem administrator, I want to be able to configure the domains that are allowed to receive responses from my ecosystem's API server, so that I can avoid CORS vulnerabilities.
Background
Currently, API server responses all contain a Access-Control-Allow-Origin: * header, which is too permissive as noted by a recent vulnerability scan.
Adding a value in the Helm chart that is passed into the API server would allow users to limit the domains that can receive responses from their ecosystem's API server. This value will contain a list of allowed origins that can be checked against whenever a request is made to the API server. If the request's Origin header contains a value that matches an allowed origin, then we'll set the Access-Control-Allow-Origin header in the response to the matched value.
Tasks
[x] Add a value to the Helm chart for a list of allowed origins that the API server will respond to
[x] Code the logic to implement the above functionality
Story
As a Galasa Ecosystem administrator, I want to be able to configure the domains that are allowed to receive responses from my ecosystem's API server, so that I can avoid CORS vulnerabilities.
Background
Currently, API server responses all contain a
Access-Control-Allow-Origin: *header, which is too permissive as noted by a recent vulnerability scan.Adding a value in the Helm chart that is passed into the API server would allow users to limit the domains that can receive responses from their ecosystem's API server. This value will contain a list of allowed origins that can be checked against whenever a request is made to the API server. If the request's
Originheader contains a value that matches an allowed origin, then we'll set theAccess-Control-Allow-Originheader in the response to the matched value.Tasks