Node.js HTTP Server - How to Secure

Question

Currently my HTTP Server has the following Configuration:

curl -i http://localhost:3000

    HTTP/1.1 200 OK
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: POST, GET, PUT, DELETE, OPTIONS
    Access-Control-Allow-Credentials: true
    Access-Control-Max-Age: 86400
    Access-Control-Allow-Headers: X-Requested-With, Access-Control-Allow-Origin, X-HTTP-Method-Override, Content-Type, Authorization, Accept
    Date: Tue, 10 Dec 2013 22:31:40 GMT
    Connection: keep-alive
    Transfer-Encoding: chunked

With respects to the Access-Control entries.

Do these indicate what the server the send and receive?

Am I best to try to reduce this list as much as possible? Would this mean the server is potentially more secure as there are less ways to access it?

thx

Answer 1

Access-Control-Allow-Origin: *

You could easily restrict this entry to restrict AJAX requests to your site (blocking CORS). This is easy to do and (depending on what you're trying to build) generally a good idea.

Access-Control-Allow-Methods: POST, GET, PUT, DELETE, OPTIONS

Again, depending on what you're building, this could be limited to only the HTTP methods you intend to use. A basic website likely only needs GET, a content driven site with form uploads would require POST, or a complex API or socket driven site may/will require the others.

Access-Control-Allow-Credentials: true

If you're not handling authentication (or securing anything) then this is irrelevant. If you are securing something, you may want to implement something like oauth in place, and disallow credentials.

Access-Control-Max-Age: 86400

This is simply how long the website response can be cached. This is 24 hours, but on a highly secure site, you may want to limit this to an hour or 30 minutes.

All of this said, while there are a significant number of other security concerns when implementing Node, if you strictly don't require the extra header handling, then there's a benefit in removing them.