-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmultiple-origins-allowed-CORS.py
100 lines (76 loc) · 4.15 KB
/
multiple-origins-allowed-CORS.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
-----
CODE:
-----
import json
host = ".org" #the origin you wish to allow. In your case this would be: host = ".zuluapp.io "
allowed_methods = ["GET","OPTIONS"] #the methods that are allowed
def lambda_handler(event, context):
host_name = event['headers']['origin']
requested_method = event['headers']['access-control-request-method']
#if condition to check if the host name is present in the origin.
#Ensure to NOT include "*" in the host and just include the remaining part
if host in host_name and requested_method in allowed_methods:
return {
'statusCode': 200,
'headers': {
'Access-Control-Allow-Headers': '*',
'Access-Control-Allow-Origin': str(host_name),
'Access-Control-Allow-Methods': str(requested_method)
},
'body': json.dumps('Hello from Lambda!')
}
else:
return {
'statusCode': 200,
'headers': {
'Access-Control-Allow-Headers': '*',
'Access-Control-Allow-Origin': host,
'Access-Control-Allow-Methods': str(allowed_methods),
},
'body': json.dumps('Hello from Lambda!')
}
------------
EXPLAINATION:
------------
This code is a simple AWS Lambda function that creates an API gateway that sets CORS headers in the HTTP response. It uses the Python programming language to handle requests.
The purpose of this script is to allow cross-origin resource sharing (CORS) across different origins. CORS is a security feature implemented in web browsers that restricts websites from making requests to other domains due to security reasons; it prevents attackers from using a user's browser to launch attacks on other sites. However, some web apps require permission to call resources from other domains, which can be granted through the use of CORS.
Let’s get into the code itself -
Importing necessary libraries
import json
This line imports the json library to manipulate data structures in JSON format.
Setting some configurations
host = ".org"
allowed_methods = ["GET","OPTIONS"]
These two lines define the allowed origins and methods for CORS control.
Defining the lambda_handler() function
def lambda_handler(event, context):
The lambda_handler() function is the main entry point for the lambda function. It takes two parameters, "event" and "context." The "event" parameter contains data about an incoming request, while the "context” parameter provides information about the Lambda function's environment.
Reading request headers
host_name = event['headers']['origin']
requested_method = event['headers']['access-control-request-method']
These lines read the origin and method types from incoming request headers.
Checking if the host and method are allowed
if host in host_name and requested_method in allowed_methods:
return {
'statusCode': 200,
'headers': {
'Access-Control-Allow-Headers': '*',
'Access-Control-Allow-Origin': str(host_name),
'Access-Control-Allow-Methods': str(requested_method)
},
'body': json.dumps('Hello from Lambda!')
}
Here, we check whether the incoming origin and method match our allowed configuration, and if found, sets the Access-Control-Allow-* headers on the response. This allows the origin site to access resources on our site under controlled circumstances. A 200 status code is returned with the required headers added, allowing calling the specified API over CORS.
If the provided host or method has not been allowed
else:
return {
'statusCode': 200,
'headers': {
'Access-Control-Allow-Headers': '*',
'Access-Control-Allow-Origin': host,
'Access-Control-Allow-Methods': str(allowed_methods),
},
'body': json.dumps('Hello from Lambda!')
}
Here, we can see that when the allowed_hostnames and method don't match what is allowed, we simply return the standard header in the response to disallow invocation over CORS.
In summary, this code receives HTTP requests and checks the incoming headers against an allowed list defined, which then appends or rejects the calls altogether while setting the desired header attributes.