is "access-control-allow-origin" a secure way to restrict communication between two servers?

Soroush Bgm

6/12/23, 11:28 AM

I have two servers, A and B. I want server B to only accept HTTP requests from server A. is "access-control-allow-origin" a secure way to implement that?

215

0 + 0

security

http

http-headers

Score:6

Server

vidarlo

6/12/23, 11:36 AM

No.

HTTP headers is sent from server to client, or client to server. It's fine for protecting a cooperating client against attacks on the client, but it's not fine for protecting the server against anything. Any client is free to ignore it if it so desires; there's nothing the server can do to enforce it.

Implement real authentication, such as TLS client certificates, bearer tokens or a similar scheme.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: is "access-control-allow-origin" a secure way to restrict communication between two servers?

TH: "การควบคุมการเข้าถึงอนุญาตต้นทาง" เป็นวิธีที่ปลอดภัยในการจำกัดการสื่อสารระหว่างสองเซิร์ฟเวอร์หรือไม่

RO: este „acces-control-allow-origin” o modalitate sigură de a restricționa comunicarea între două servere?

RU: Является ли «access-control-allow-origin» безопасным способом ограничения связи между двумя серверами?

VI: "kiểm soát truy cập-cho phép-xuất xứ" có phải là cách an toàn để hạn chế giao tiếp giữa hai máy chủ không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.