CME-915
Cross-Origin Request Restriction (Reverse Proxy Origin Enforcement)
Description
Configure the reverse proxy or load balancer (nginx, Apache httpd, HAProxy) to validate the Origin and Referer headers on state-changing requests (POST, PUT, DELETE, PATCH, and WebSocket Upgrade) against an explicit allowlist of trusted origins. Requests with an Origin that does not match the allowlist are rejected with 403 before reaching the backend application. This provides defense-in-depth for applications that fail to validate cross-origin requests internally — the proxy enforces the same-origin boundary at the infrastructure layer.
CVSS Vector Impacts
| Metric | Transition | Rationale |
|---|---|---|
| Attack Complexity (AC) | L → H | The attacker must achieve a same-origin position (e.g., XSS on the allowed domain or social engineering to access a same-origin page) to bypass the proxy-level origin restriction. A simple cross-origin request from an attacker-controlled domain is rejected by the proxy before reaching the application, significantly increasing the complexity required for successful exploitation. |
CWE Relationships
Verification
Check reverse proxy configuration for Origin/Referer header validation on state-changing requests. The proxy should reject requests with an Origin not in the trusted allowlist.
$ grep -rE "valid_referers|map.*\$http_origin" /etc/nginx/
# Expected: Origin validation directives present
# Expected: Origin validation directives present
Platform: rhel
$ grep -rE "Require expr.*HTTP_ORIGIN|SetEnvIf Origin" /etc/httpd/conf.d/
# Expected: Origin validation rules present
# Expected: Origin validation rules present
Platform: rhel
$ grep -rE "hdr\(Origin\)|req\.hdr\(Origin\)" /etc/haproxy/
# Expected: Origin ACL rules present
# Expected: Origin ACL rules present
Platform: rhel
$ curl -s -o /dev/null -w "%{http_code}" -X POST -H "Origin: https://evil.example.com" https://your-app/api/endpoint
# Expected: 403
# Expected: 403
Platform: any