Skip to main content

This article applies to version 6.

Other available versions:

Version 5icon.qnmark.png

Available in:

StandardPremiumEnterprise
Small Business
Code42 Support

Configure the CORS domain whitelist for web applications

This article applies to version 6.

Other available versions:

Version 5icon.qnmark.png

Available in:

StandardPremiumEnterprise
Small Business

Overview

Typically, web requests are restricted to only the current domain, per the same-origin policy. Cross-origin resource sharing (CORS) allows for web requests from different domains. If you have a CORS-enabled web environment, you may want to restrict outside access to your Code42 server to only those requests originating from approved domains. This tutorial explains how to create a CORS whitelist of domains to accept web requests from.

Why use a CORS whitelist?

Under the same-origin policy, a web browser allows scripts in one web page to access data from another web page, but only if both pages have the same origin. An origin is a combination of a URI scheme, host name, and port number. The same-origin policy prevents a malicious script on one page from getting access to data on another web page.

Typically, you do not want to allow pages outside your domain to access data from inside your domain. But if you have several domains that you want to allow access, you can set up a CORS whitelist to allow the domains to share data.

Consider this example where you have a:

  • Code42 authority server in the domain foo.com
  • Code42 storage server in the domain bar.com
  • Web server running in the domain example.com

With CORS, the web app you develop (which runs on a server in the example.com domain) that calls the servers running on the domains foo.com and bar.com will not be blocked by the default security settings of your users' browsers. Your whitelist would appear like this: "foo.com,bar.com,example.com".

Considerations

  • Only domains that are absolutely needed for cross-origin communication should be whitelisted.
  • Extreme caution must be taken when specifying the domains in the whitelist because an overly permissive CORS policy may allow malicious applications to communicate with your application in an inappropriate way.
  • There are numerous Code42 API resources that support CORS that you can call from a domain added to the CORS whitelist.
  • You do not need to add HTTP or HTTP protocols to the domains in the whitelist.

Before you begin

Carefully consider the situations for which the whitelist is needed. For example, you may want to enable cross-origin resource requests to support your company's internal application so that it can consume Code42 APIs that are on different DNS domains. The whitelist should restrict domains as narrowly as possible to allow access only to those domains needed for these requests.

Carefully planning any whitelisted domains helps ensure secure access to your Code42 environment.

Create the CORS whitelist

  1. Sign in to the administration console.

  2. Double-click the logo in the upper-left corner of the administration console.
    The command-line interface appears in the administration console.
  3. To view the current CORS whitelist setting in your Code42 environment, enter the following prop.show command:

prop.show c42.private.server.cors.domain.whitelist

  1. Enter the following prop.set command at the top of the command-line interface to set the whitelist on all Code42 servers in your environment:

prop.set c42.private.server.cors.domain.whitelist "<domains>" save all

Replace <domains> with a comma-separated list of domains that are allowed to communicate with the Code42 environment.

Alternatively, you can enter the following command to set the whitelist on a specific Code42 server:

prop.set c42.private.server.cors.domain.whitelist "<domains>" save destination <guid>

Replace <guid> with the destination's GUID.

Overwriting values
Setting a new value with a prop.set command overwrites any existing value.
Warning for using the whitelist command
Use great care with syntax when entering this command. Placing improper characters into this command and then executing it can result in your Code42 server becoming inaccessible. If this occurs, remove the CORS whitelist and re-enter the whitelist command correctly.
  1. To verify the new setting in your Code42 environment, enter the following command:

prop.show c42.private.server.cors.domain.whitelist

  1. Verify that the resource to which you granted whitelist status can successfully access your Code42 environment.

Remove the CORS whitelist

If you place incorrect syntax in your domain list (for example, you enclose the domain list in single quotation marks rather than double quotation marks), it can cause the Code42 server to become inaccessible.

To recover from this error, run the following curl command from a command line to remove the CORS whitelist:

curl -u <admin username>:<admin password> -X POST -H "Content-Type: application/json" -d '{"command": "prop.remove c42.private.server.cors.domain.whitelist"}' https://<master server address>:4285/api/Cli