nginx环境CORS 跨域漏洞修复

1、漏洞报告

2、漏洞复现

curl -H ‘Origin:https://www.baidu.com’ http://127.0.0.1:80

3、漏洞修复（nginx）

location /myProject/api/ {
    set $allow_cors 0;
    # 判断不为空
    if ($http_origin) {
        set $allow_cors 1;
    }
    # 判断不在白名单内
    if ($http_origin !~* "(www.test.com|10.86.37.169)" ) {
        set $allow_cors "${allow_cors}1";
    }
    # 判断不为空 且 不在白名单内，返回403
    if ($allow_cors = "11") {
        return 403;
    }

    add_header 'Access-Control-Allow-Origin' 'http://10.86.37.169:80' always;
    add_header 'Access-Control-Allow-Credentials' 'true'  always;

    include      proxy_params;
    proxy_pass   http://localhost:8081/;
    access_log   /tmp/httplogs/uat-mobileapi-access.log main;
    error_log    /tmp/httplogs/uat-mobileapi-error.log;
}