Skip to content

Commit

Permalink
Move HTTP CORS section to a new security-cors.adoc
Browse files Browse the repository at this point in the history
  • Loading branch information
sberyozkin committed Oct 20, 2023
1 parent 997cab3 commit be509dc
Show file tree
Hide file tree
Showing 9 changed files with 80 additions and 56 deletions.
51 changes: 2 additions & 49 deletions docs/src/main/asciidoc/http-reference.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -336,55 +336,8 @@ value will not be correct.

== CORS filter

link:https://en.wikipedia.org/wiki/Cross-origin_resource_sharing[Cross-origin resource sharing] (CORS) is a mechanism that
allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource
was served.

Quarkus comes with a CORS filter which implements the `jakarta.servlet.Filter` interface and intercepts all incoming HTTP
requests. It can be enabled in the Quarkus configuration file, `src/main/resources/application.properties`:

[source, properties]
----
quarkus.http.cors=true
----

If the filter is enabled and an HTTP request is identified as cross-origin, the CORS policy and headers defined using the
following properties will be applied before passing the request on to its actual target (servlet, Jakarta REST resource, etc.):


include::{generated-dir}/config/quarkus-vertx-http-config-group-cors-cors-config.adoc[leveloffset=+1, opts=optional]

Here's what a full CORS filter configuration could look like, including a regular expression defining an allowed origin:

[source, properties]
----
quarkus.http.cors=true
quarkus.http.cors.origins=http://foo.com,http://www.bar.io,/https://([a-z0-9\\-_]+)\\\\.app\\\\.mydomain\\\\.com/
quarkus.http.cors.methods=GET,PUT,POST
quarkus.http.cors.headers=X-Custom
quarkus.http.cors.exposed-headers=Content-Disposition
quarkus.http.cors.access-control-max-age=24H
quarkus.http.cors.access-control-allow-credentials=true
----

`/https://([a-z0-9\\-_]+)\\\\.app\\\\.mydomain\\\\.com/` is treated as a regular expression because it is surrounded by forward slash characters.

[NOTE]
====
If you use regular expressions in an `application.properties` file, make sure 4 backward slashes are used to represent `.` and other regular expression metadata characters as normal characters, for example, `\\\\.` represents a `.` character while `\\.` represents a metadata character allowing for any character.
====

=== Support all origins in devmode

Having to configure required origins when you start developing a Quarkus application requiring CORS support can be difficult and, in such cases, you may want to allow all origins in dev mode only in order to focus on the actual development first:

[source, properties]
----
quarkus.http.cors=true
%dev.quarkus.http.cors.origins=/.*/
----

It is important that you enable all origins only for the dev profile, allowing all origins in production is not recommended and could expose your applications to serious security issues.
To make your Quarkus application accessible to another application running on a different domain, you need to configure cross-origin resource sharing (CORS).
For more information about the CORS filter that Quarkus provides, see the Quarkus xref:security-cors.adoc#cors-filter[CORS filter] section of the "Cross-origin resource sharing" guide.

== HTTP Limits Configuration

Expand Down
2 changes: 1 addition & 1 deletion docs/src/main/asciidoc/openapi-swaggerui.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -529,7 +529,7 @@ For more information on styling, read this blog entry: https://quarkus.io/blog/s

=== Cross Origin Resource Sharing

If you plan to consume this application from a Single Page Application running on a different domain, you will need to configure CORS (Cross-Origin Resource Sharing). Please read the xref:http-reference.adoc#cors-filter[HTTP CORS documentation] for more details.
If you plan to consume this application from a Single Page Application running on a different domain, you will need to configure CORS (Cross-Origin Resource Sharing). Please read the xref:security-cors.adoc#cors-filter[CORS filter] section of the "Cross-origin resource sharing" guide for more details.

== Configuration Reference

Expand Down
2 changes: 1 addition & 1 deletion docs/src/main/asciidoc/resteasy-reactive.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -1867,7 +1867,7 @@ allows restricted resources on a web page to be requested from another domain ou
was served.

Quarkus comes with a CORS filter at the HTTP layer level.
Read the xref:http-reference.adoc#cors-filter[HTTP Reference Documentation] to learn
Read the xref:security-cors.adoc#cors-filter[CORS filter] section of the "Cross-origin resource sharing" guide to learn
how to use it.

== More advanced usage
Expand Down
2 changes: 1 addition & 1 deletion docs/src/main/asciidoc/resteasy.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -703,7 +703,7 @@ link:https://en.wikipedia.org/wiki/Cross-origin_resource_sharing[Cross-origin re
allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource
was served.

Quarkus comes with a CORS filter. Read the xref:http-reference.adoc#cors-filter[HTTP Reference Documentation] to learn
Quarkus comes with a CORS filter. Read the xref:security-cors.adoc#cors-filter[CORS filter] section of the "Cross-origin resource sharing" guide to learn
how to use it.

== GZip Support
Expand Down
71 changes: 71 additions & 0 deletions docs/src/main/asciidoc/security-cors.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
////
This document is maintained in the main Quarkus repository
and pull requests should be submitted there:
https://github.com/quarkusio/quarkus/tree/main/docs/src/main/asciidoc
////
[id="security-cors"]
= Cross-origin resource sharing
include::_attributes.adoc[]
:diataxis-type: concept
:categories: security,web
:keywords: cors,http
:extensions: io.quarkus:quarkus-vertx-http

link:https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS[Cross-origin resource sharing] (CORS) is a mechanism that
allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource
was served.

[[cors-filter]]
== CORS filter

Quarkus provides a CORS filter which implements the `jakarta.servlet.Filter` interface and intercepts all incoming HTTP
requests. It can be enabled in the Quarkus configuration file, `src/main/resources/application.properties`:

[source, properties]
----
quarkus.http.cors=true
----

If the filter is enabled and an HTTP request is identified as cross-origin, the CORS policy and headers defined using the
following properties will be applied before passing the request on to its actual target (servlet, Jakarta REST resource, etc.):

include::{generated-dir}/config/quarkus-vertx-http-config-group-cors-cors-config.adoc[leveloffset=+1, opts=optional]

Here's what a full CORS filter configuration could look like, including a regular expression defining an allowed origin:

[source, properties]
----
quarkus.http.cors=true
quarkus.http.cors.origins=http://foo.com,http://www.bar.io,/https://([a-z0-9\\-_]+)\\\\.app\\\\.mydomain\\\\.com/
quarkus.http.cors.methods=GET,PUT,POST
quarkus.http.cors.headers=X-Custom
quarkus.http.cors.exposed-headers=Content-Disposition
quarkus.http.cors.access-control-max-age=24H
quarkus.http.cors.access-control-allow-credentials=true
----

`/https://([a-z0-9\\-_]+)\\\\.app\\\\.mydomain\\\\.com/` is treated as a regular expression because it is surrounded by forward slash characters.

[NOTE]
====
If you use regular expressions in an `application.properties` file, make sure 4 backward slashes are used to represent `.` and other regular expression metadata characters as normal characters, for example, `\\\\.` represents a `.` character while `\\.` represents a metadata character allowing for any character.
====

=== Support all origins in devmode

Having to configure required origins when you start developing a Quarkus application requiring CORS support can be difficult and, in such cases, you may want to allow all origins in dev mode only in order to focus on the actual development first:

[source, properties]
----
quarkus.http.cors=true
%dev.quarkus.http.cors.origins=/.*/
----

It is important that you enable all origins only for the dev profile, allowing all origins in production is not recommended and could expose your applications to serious security issues.


== References

* xref:security-overview.adoc[Quarkus Security overview]
* xref:http-reference.adoc[Quarkus HTTP Reference]
* link:https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS[Mozilla HTTP CORS documentation]
2 changes: 1 addition & 1 deletion docs/src/main/asciidoc/security-csrf-prevention.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -170,7 +170,7 @@ quarkus.csrf-reactive.cookie-http-only=false
====
If you would like to enforce CSRF prevention in a Cross-origin environment, please avoid supporting all Origins.
Restrict supported Origins to trusted Origins only, see xref:http-reference.adoc#cors-filter[Cross-origin resource sharing] for more information.
Restrict supported Origins to trusted Origins only, see xref:security-cors.adoc#cors-filter[CORS filter] section of the "Cross-origin resource sharing" guide for more information.
====

== Restrict CSRF token verification
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -336,7 +336,7 @@ For example, here is how you can use `keycloak.js` to authenticate the users and

=== Cross Origin Resource Sharing

If you plan to consume your OpenID Connect `service` application from a Single Page Application running on a different domain, you will need to configure CORS (Cross-Origin Resource Sharing). Please read the xref:http-reference.adoc#cors-filter[HTTP CORS documentation] for more details.
If you plan to consume your OpenID Connect `service` application from a Single Page Application running on a different domain, you will need to configure CORS (Cross-Origin Resource Sharing). Please read the xref:security-cors.adoc#cors-filter[CORS filter] section of the "Cross-origin resource sharing" guide for more details.

=== Provider Endpoint configuration

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1230,7 +1230,7 @@ Future<void> callQuarkusService() async {
=== Cross-origin resource sharing

If you plan to consume this application from a single-page application running on a different domain, you need to configure cross-origin resource sharing (CORS).
For more information, see the xref:http-reference.adoc#cors-filter[CORS filter] section of the "HTTP reference" guide.
For more information, see the xref:security-cors.adoc#cors-filter[CORS filter] section of the "Cross-origin resource sharing" guide.

=== Calling Cloud provider services

Expand Down
2 changes: 1 addition & 1 deletion docs/src/main/asciidoc/security-overview.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ Guidance for testing Quarkus Security features and ensuring that your Quarkus ap
=== Cross-origin resource sharing

To make your Quarkus application accessible to another application running on a different domain, you need to configure cross-origin resource sharing (CORS).
For more information about the CORS filter that Quarkus provides, see the Quarkus xref:http-reference.adoc#cors-filter[CORS filter] section of the "HTTP reference" guide.
For more information about the CORS filter that Quarkus provides, see the Quarkus xref:security-cors.adoc#cors-filter[CORS filter] section of the "Cross-origin resource sharing" guide.

[[csrf-prevention]]
=== Cross-Site Request Forgery (CSRF) prevention
Expand Down

0 comments on commit be509dc

Please sign in to comment.