Ruby on Rails configure CORS setting with rack cors gem

Hi, This is Shubham Mishra from India, this is the part of Ruby on Rails exploration journey. In this post we will discuss about the CORS concepts and I am sure you will get excited to make your hands dirty with those code, so why to wait let's get started...

What is CORS?

Cross-Origin Resource Sharing, sometimes known as CORS, is a security feature built into web browsers that enables web servers to manage which domains can access their resources. It is used to stop rogue websites or programmes from gaining unauthorised access to a web server's resources.

In plainer terms, a web browser will submit a CORS request to the server whenever a web application makes a request to a domain other than the one it is currently executing on in order to determine whether it is authorised to access the resources of that domain. The browser can retrieve the resources and show them to the user if the server agrees to the request.

Why CORS is important?

If CORS is not used, malicious websites or scripts may be able to access server resources that they are not authorised to access. Data theft, unauthorised changes, and other security problems could result from this.

The Access-Control-Allow-Origin header, which identifies which domains are permitted access to the server's resources, is one of the specific response headers that web servers must provide in their HTTP responses in order to enable CORS. For further control over which domains can access their resources, web developers can implement CORS policies on their online applications.

Real world cyber attack because of lack of CORS configuration on server

There have been several real-world examples of security breaches that occurred due to the lack of proper CORS configuration. The 2018 Ticketmaster data breach, in which thieves were able to take the private and financial data of as many as 40,000 consumers, is one such instance. The payment page on the Ticketmaster website contained a vulnerability that the hackers were able to take advantage of to run malicious JavaScript code and collect user information. The website's improper CORS configuration was to blame for this vulnerability.

Another instance is the 2017 Uber data breach, in which thieves had access to the personal data of 57 million users and the licence details of 600,000 drivers. Due to a flaw in Uber's code, hackers were able to access a backend server hosting sensitive user data and get beyond CORS limitations, resulting in the breach.

How to configure CORS in Ruby on Rails application?

Configuring CORS in a Rails application is straightforward and can be done using the rack-cors gem. Here are the steps to configure CORS in a Rails application:

1. Add the rack-cors gem to your Gemfile and run bundle install.

gem 'rack-cors', require: 'rack/cors'

2. Create a config/initializers/cors.rb file with the following code:

This configuration allows any domain to access your application's resources using any HTTP method. You can adjust the origins and methods values to restrict access to specific domains and HTTP methods. For example, to allow access from a specific domain, you can replace origins '*' with origins 'http://example.com'.

3. Restart your Rails application.

DONE 😄

You can configure CORS in your Rails application by following these steps. Keep in mind that proper CORS configuration is essential to preventing security flaws. Make sure to properly test your application to make sure the CORS configuration is operating as intended.

Here's an example cors.rb configuration file using the multiple domains that we want to whitelist,

This configuration allows requests from the example.com domain using HTTPS protocol, a local development server running on localhost at port 3000, the www subdomain of example.com using HTTPS protocol, any subdomain of example.com using HTTPS protocol, and the null origin for local requests.

In summary, CORS is important because it is a crucial security mechanism that helps prevent unauthorized access to web servers and the sensitive data they contain. Without proper CORS configuration, attackers could potentially access a server's resources from domains they are not authorized to access, which could lead to data theft, unauthorized modifications, and other security risks. By configuring CORS correctly, web developers can specify which domains are allowed to access their resources and prevent unauthorized access from malicious websites or scripts.

You can explore my previous blog: Ruby on Rails best Optimisation practices

Or you can explore my other blogs too here,

Get to know answers for common search on Google : A blog for posts which can help you for daily life problems, such as where to get free images, Topic suggestion for the blog.

Computer Science algorithms and other knowledge share : A blog for posts such as best search algorithm, Top interview questions for diffrent technologies, knowledge share for some frameworks or programming languages for the interview or in general terms.

My ideas to solve real world problems : A blog where me shared and presented my ideas to solve a real world problems, this will be interesting for me.

Ruby on Rails Web development Blog : As the name suggest, it is the blog for sharing few knowledge about RoR web development framework.

Liked my blogs, wanna to connect:

Thanks for reading this post, Have a good day :)

Search This Blog

Ruby on Rails: Lets explore the Ruby and Rails