Gravatar for

Question by Magnus, Aug 27, 2018 9:19 AM

Rest endpoint sets CORS headers


[Text Edit]

Is there a way to turn off the generation of these headers?

Edited by Maxime : Thanks you for your report, I sent you an email about this.

2 Replies
Gravatar for

Answer by olamothe, Nov 17, 2017 3:14 PM

Assuming you are using the on premise version of the Search API, it is possible to configure the Search API regarding CORS options.

Gravatar for

Comment by Magnus, Nov 17, 2017 4:29 PM

Thank you for the answer, olamothe.

I should have specified, I'm using Coveo for Sitecore with the Cloud solution, not on-premise.

Gravatar for

Answer by Martin Laporte, Nov 20, 2017 8:56 AM

Hey thanks for the report!

I work more on the platform side so I'm not a Coveo for Sitecore expert (those are all asleep at the moment), but I assume this means that requests to `/rest/search` are reverse-proxied through the Sitecore site over to the Coveo Cloud platform. In this case, if you site uses cookie for authentication (hardly an uncommon practice!) you are right that this indeeds opens up a potential security issue.

When using the platform directly cookies aren't used for authentication - the access or search token must be passed manually through the `Authorization` HTTP header so a foreign site can't magically gain access to the service through cookies. So in this case it's OK to put the headers as they are, but definitively the Coveo for Sitecore reverse proxy (if my assumptions about it existing are right) should not forward those.

This looks pretty important so I'll alert the proper teams right away so they can have a look at this right away.

Again, thanks for reporting!

Ask a question