Skip to content

Commit 2abd58b

Browse files
vishrclaude
andcommitted
docs(cors): add Security section on wildcard origin + credentials (#277)
Upstream echo#2400 asked for the docs to explain the danger of combining a wildcard origin with AllowCredentials, and the maintainer asked for a security block on echo.labstack.com. The page only had a one-line caution that didn't explain the behaviour or v5's enforcement. Expand it into a "Security" section that explains: - the danger: wildcard origin + AllowCredentials:true reflects any Origin back, enabling credentialed cross-origin attacks; - v5's enforcement: CORS / CORSWithConfig panic and ToMiddleware() returns an error rather than building an insecure middleware; - the safe pattern (explicit origins) and UnsafeAllowOriginFunc for dynamic validation. Applied across all five locales (translated prose, identical code block). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 3f9e3e3 commit 2abd58b

5 files changed

Lines changed: 98 additions & 24 deletions

File tree

site/src/content/docs/es/middleware/cors.md

Lines changed: 20 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -117,8 +117,23 @@ CORSConfig{
117117
}
118118
```
119119

120-
:::caution[Seguridad]
121-
Nunca combines `AllowCredentials = true` con un wildcard `AllowOrigins`. Cuando necesites
122-
validación dinámica de origin, usa `UnsafeAllowOriginFunc` y valida con cuidado:
123-
los atacantes pueden registrar nombres de (sub)dominio hostiles.
124-
:::
120+
## Seguridad
121+
122+
Un origin con wildcard (`AllowOrigins: []string{"*"}`) combinado con `AllowCredentials: true`
123+
es peligroso: reflejaría el `Origin` de **cualquier** petición en
124+
`Access-Control-Allow-Origin`, permitiendo que una página de cualquier sitio haga peticiones
125+
cross-origin con credenciales a tu API (consulta [Exploiting CORS misconfigurations](https://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)).
126+
127+
Echo rechaza esta combinación en lugar de construir un middleware inseguro: `CORS` y
128+
`CORSWithConfig` hacen **panic**, y `CORSConfig.ToMiddleware()` devuelve un error. Para permitir
129+
peticiones con credenciales, enumera explícitamente los orígenes de confianza:
130+
131+
```go
132+
e.Use(middleware.CORSWithConfig(middleware.CORSConfig{
133+
AllowOrigins: []string{"https://example.com"},
134+
AllowCredentials: true,
135+
}))
136+
```
137+
138+
Para validación dinámica de origin, usa `UnsafeAllowOriginFunc` y valida cada origin con
139+
cuidado: los atacantes pueden registrar nombres de (sub)dominio falsos u hostiles.

site/src/content/docs/ja/middleware/cors.md

Lines changed: 20 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -117,8 +117,23 @@ CORSConfig{
117117
}
118118
```
119119

120-
:::caution[セキュリティ]
121-
`AllowCredentials = true` とワイルドカードの `AllowOrigins` を組み合わせてはいけません。
122-
動的な origin 検証が必要な場合は `UnsafeAllowOriginFunc` を使い、慎重に検証してください。
123-
攻撃者が悪意ある(サブ)ドメイン名を登録する可能性があります。
124-
:::
120+
## セキュリティ
121+
122+
ワイルドカード origin(`AllowOrigins: []string{"*"}`)と `AllowCredentials: true` の組み合わせは危険です。
123+
**任意**のリクエストの `Origin` をそのまま `Access-Control-Allow-Origin` に反射してしまい、
124+
どのサイトのページからでも認証情報付きのクロスオリジンリクエストを API に送れてしまいます
125+
[Exploiting CORS misconfigurations](https://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html) を参照)。
126+
127+
Echo は安全でないミドルウェアを構築せず、この組み合わせを拒否します。`CORS``CORSWithConfig`**panic** し、
128+
`CORSConfig.ToMiddleware()` はエラーを返します。認証情報付きのリクエストを許可するには、
129+
信頼する origin を明示的に列挙してください:
130+
131+
```go
132+
e.Use(middleware.CORSWithConfig(middleware.CORSConfig{
133+
AllowOrigins: []string{"https://example.com"},
134+
AllowCredentials: true,
135+
}))
136+
```
137+
138+
動的な origin 検証が必要な場合は `UnsafeAllowOriginFunc` を使い、各 origin を慎重に検証してください。
139+
攻撃者が偽装または悪意ある(サブ)ドメイン名を登録する可能性があります。

site/src/content/docs/middleware/cors.md

Lines changed: 20 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -117,8 +117,23 @@ CORSConfig{
117117
}
118118
```
119119

120-
:::caution[Security]
121-
Never combine `AllowCredentials = true` with a wildcard `AllowOrigins`. When you need
122-
dynamic origin validation, use `UnsafeAllowOriginFunc` and validate carefully —
123-
attackers may register hostile (sub)domain names.
124-
:::
120+
## Security
121+
122+
A wildcard origin (`AllowOrigins: []string{"*"}`) combined with `AllowCredentials: true`
123+
is dangerous: it would reflect **any** request's `Origin` back in
124+
`Access-Control-Allow-Origin`, letting a page on any site make credentialed cross-origin
125+
requests to your API (see [Exploiting CORS misconfigurations](https://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)).
126+
127+
Echo refuses this combination rather than building an insecure middleware: `CORS` and
128+
`CORSWithConfig` **panic**, and `CORSConfig.ToMiddleware()` returns an error. To allow
129+
credentialed requests, list the trusted origins explicitly:
130+
131+
```go
132+
e.Use(middleware.CORSWithConfig(middleware.CORSConfig{
133+
AllowOrigins: []string{"https://example.com"},
134+
AllowCredentials: true,
135+
}))
136+
```
137+
138+
For dynamic origin validation, use `UnsafeAllowOriginFunc` and validate each origin
139+
carefully — attackers may register look-alike or hostile (sub)domain names.

site/src/content/docs/pt-br/middleware/cors.md

Lines changed: 20 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -117,8 +117,23 @@ CORSConfig{
117117
}
118118
```
119119

120-
:::caution[Segurança]
121-
Nunca combine `AllowCredentials = true` com um wildcard `AllowOrigins`. Quando precisar
122-
de validação dinâmica de origem, use `UnsafeAllowOriginFunc` e valide cuidadosamente —
123-
atacantes podem registrar nomes de (sub)domínio hostis.
124-
:::
120+
## Segurança
121+
122+
Um origin curinga (`AllowOrigins: []string{"*"}`) combinado com `AllowCredentials: true`
123+
é perigoso: ele refletiria o `Origin` de **qualquer** requisição em
124+
`Access-Control-Allow-Origin`, permitindo que uma página de qualquer site faça requisições
125+
cross-origin com credenciais à sua API (veja [Exploiting CORS misconfigurations](https://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)).
126+
127+
O Echo recusa essa combinação em vez de construir um middleware inseguro: `CORS` e
128+
`CORSWithConfig` causam **panic**, e `CORSConfig.ToMiddleware()` retorna um erro. Para permitir
129+
requisições com credenciais, liste explicitamente as origens confiáveis:
130+
131+
```go
132+
e.Use(middleware.CORSWithConfig(middleware.CORSConfig{
133+
AllowOrigins: []string{"https://example.com"},
134+
AllowCredentials: true,
135+
}))
136+
```
137+
138+
Para validação dinâmica de origem, use `UnsafeAllowOriginFunc` e valide cada origem com
139+
cuidado — atacantes podem registrar nomes de (sub)domínio falsos ou hostis.

site/src/content/docs/zh-cn/middleware/cors.md

Lines changed: 18 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -117,7 +117,21 @@ CORSConfig{
117117
}
118118
```
119119

120-
:::caution[安全]
121-
永远不要把 `AllowCredentials = true` 与通配符 `AllowOrigins` 组合使用。需要动态 origin
122-
验证时,请使用 `UnsafeAllowOriginFunc` 并仔细验证,攻击者可能注册恶意(子)域名。
123-
:::
120+
## 安全
121+
122+
通配符 origin(`AllowOrigins: []string{"*"}`)与 `AllowCredentials: true` 组合使用非常危险:
123+
它会把**任意**请求的 `Origin` 原样反射到 `Access-Control-Allow-Origin` 中,使得任意网站上的页面
124+
都能向你的 API 发起携带凭证的跨域请求(参见 [Exploiting CORS misconfigurations](https://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html))。
125+
126+
Echo 会拒绝这种组合,而不是构建不安全的中间件:`CORS``CORSWithConfig`**panic**
127+
`CORSConfig.ToMiddleware()` 会返回错误。要允许携带凭证的请求,请显式列出受信任的 origin:
128+
129+
```go
130+
e.Use(middleware.CORSWithConfig(middleware.CORSConfig{
131+
AllowOrigins: []string{"https://example.com"},
132+
AllowCredentials: true,
133+
}))
134+
```
135+
136+
需要动态 origin 验证时,请使用 `UnsafeAllowOriginFunc` 并仔细验证每个 origin——
137+
攻击者可能注册仿冒或恶意的(子)域名。

0 commit comments

Comments
 (0)