Skip to content

[SECURITY] Konfigurasi CORS Lebih Ketat - Whitelist Origin Saja#980

Open
pandigresik wants to merge 1 commit intorilis-devfrom
dev-964
Open

[SECURITY] Konfigurasi CORS Lebih Ketat - Whitelist Origin Saja#980
pandigresik wants to merge 1 commit intorilis-devfrom
dev-964

Conversation

@pandigresik
Copy link
Contributor

@pandigresik pandigresik commented Mar 11, 2026

Perbaikan issue #964

Keamanan CORS - Ringkasan Perbaikan

📋 Ikhtisar

Perbaikan keamanan kritis pada konfigurasi CORS (Cross-Origin Resource Sharing) untuk mencegah akses API yang tidak sah dari domain yang tidak tepercaya.

⚠️ Masalah Keamanan

Kondisi Sebelumnya

// config/cors.php - SEBELUM (TIDAK AMAN)
'allowed_origins' => ['*'],  // ❌ MENGIZINKAN SEMUA DOMAIN
'allowed_headers' => ['*'],  // ❌ MENGIZINKAN SEMUA HEADER
'supports_credentials' => true,

Dampak Keamanan

  1. API Abuse Cross-Origin: Situs web malicious dapat mengakses API dari browser pengguna
  2. Data Leak/Disclosure: Data sensitif dapat diakses oleh pihak ketiga
  3. CSRF Scenario Lebih Besar: Serangan CSRF menjadi lebih mudah dilakukan
  4. Exploit Authentication: Session/token pengguna dapat dieksploitasi via malicious JavaScript

Kombinasi allowed_origins = * dengan supports_credentials = true adalah KERENTANAN KEAMANAN KRITIS.

✅ Solusi yang Diterapkan

1. Perubahan config/cors.php

// config/cors.php - SESUDAH (AMAN)

// ✅ Allowed origins dari environment variable dengan daftar putih domain
'allowed_origins' => array_filter(explode(',', env('CORS_ALLOWED_ORIGINS', 
    'https://devopenkab.opendesa.id,' .
    'http://localhost:3000,http://127.0.0.1:3000,' .
    'http://localhost:5173,http://127.0.0.1:5173'
))),

// ✅ Allowed headers dibatasi hanya yang diperlukan
'allowed_headers' => ['Content-Type', 'Authorization', 'X-Requested-With', 'X-XSRF-TOKEN'],

'supports_credentials' => true,

2. Perubahan .env.example

Ditambahkan variabel environment baru:

# CORS Configuration - Comma-separated list of allowed origins
# IMPORTANT: Do not use wildcard (*) when supports_credentials=true
# Production: https://devopenkab.opendesa.id
# Development: http://localhost:3000,http://127.0.0.1:5173,etc.
CORS_ALLOWED_ORIGINS=https://devopenkab.opendesa.id,http://localhost:3000,http://127.0.0.1:3000,http://localhost:5173,http://127.0.0.1:5173

3. Test Coverage - tests/Feature/CorsSecurityTest.php

13 test cases yang memastikan konfigurasi CORS aman:

No Test Case Status
1 Allowed origins restricted to trusted domains
2 Preflight requests from allowed origins succeed
3 Preflight requests from non-allowed origins rejected
4 Actual requests include CORS headers
5 Supports credentials is enabled
6 Allowed headers are restricted
7 Wildcard origin with credentials NOT configured
8 Production domain in allowed origins
9 Localhost URLs available for development
10 API endpoints handle preflight correctly
11 Multiple allowed origins work correctly
12 Null origin handled securely
13 CORS config from environment variable

Menjalankan Test:

php artisan test --filter CorsSecurityTest

🔧 Konfigurasi untuk Environment

Production

CORS_ALLOWED_ORIGINS=https://devopenkab.opendesa.id

Development

CORS_ALLOWED_ORIGINS=http://localhost:3000,http://127.0.0.1:3000,http://localhost:5173,http://127.0.0.1:5173

Staging

CORS_ALLOWED_ORIGINS=https://staging-openkab.example.com,https://devopenkab.opendesa.id

Multiple Domains

CORS_ALLOWED_ORIGINS=https://domain1.com,https://domain2.com,http://localhost:3000

🧪 Testing

Test Preflight dari Domain yang Diizinkan

curl -X OPTIONS http://localhost:8000/api/user \
  -H "Origin: http://localhost:3000" \
  -H "Access-Control-Request-Method: POST" \
  -H "Access-Control-Request-Headers: Content-Type, Authorization" \
  -v

# Expected: HTTP 204 dengan header:
# Access-Control-Allow-Origin: http://localhost:3000

Test Preflight dari Domain yang TIDAK Diizinkan

curl -X OPTIONS http://localhost:8000/api/user \
  -H "Origin: https://malicious-site.com" \
  -H "Access-Control-Request-Method: POST" \
  -v

# Expected: Header Access-Control-Allow-Origin TIDAK mencerminkan malicious origin

Menjalankan Semua Test CORS

# Unit/Feature tests
php artisan test --filter CorsSecurityTest

# E2E tests (jika ada)
npm run test:e2e

📁 File yang Diubah

File Perubahan
config/cors.php ✅ Restrict allowed origins dari wildcard ke whitelist domain
✅ Restrict allowed headers ke header yang diperlukan
.env.example ✅ Tambah CORS_ALLOWED_ORIGINS environment variable
tests/Feature/CorsSecurityTest.php ✅ File test baru dengan 13 test cases
QWEN.md ✅ Dokumentasi CORS security configuration

🎯 Checklist Implementasi

  • Ubah allowed_origins dari * ke whitelist domain
  • Ubah allowed_headers dari * ke header spesifik
  • Tambah environment variable CORS_ALLOWED_ORIGINS
  • Buat test coverage untuk CORS security
  • Update dokumentasi
  • Verify semua test passing (13/13 ✅)

📚 Referensi

⚡ Quick Commands

# Run CORS security tests
php artisan test --filter CorsSecurityTest

# Clear config cache (setelah perubahan)
php artisan config:clear
php artisan cache:clear

# Verify CORS configuration
php artisan tinker
>>> config('cors.allowed_origins')
>>> config('cors.allowed_headers')
>>> config('cors.supports_credentials')
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vickyrolanda vickyrolanda Awaiting requested review from vickyrolanda

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pandigresik