From 008406295ea67cbaedd201d5ee026e96653d23d5 Mon Sep 17 00:00:00 2001 From: chenzimmer2 Date: Sun, 29 Jan 2023 22:39:35 +0200 Subject: [PATCH 1/2] Release version 7.6.0 --- CHANGELOG.md | 6 ++ README.md | 148 +++++++++++++++++++++++++++++++++++----------- lib/pxenforcer.js | 2 +- package.json | 4 +- px_metadata.json | 3 +- 5 files changed, 125 insertions(+), 38 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8be0128..f6c6930 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +## [7.6.0] - 2023-01-26 + +### Added + +- Support for CORS preflight requests and CORS headers in block responses + ## [7.5.0] - 2023-01-26 ### Added diff --git a/README.md b/README.md index 1cf2b02..6f40099 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ # [PerimeterX](http://www.perimeterx.com) Express.js Middleware -> Latest stable version: [v7.5.0](https://www.npmjs.com/package/perimeterx-node-express) +> Latest stable version: [v7.6.0](https://www.npmjs.com/package/perimeterx-node-express) ## Table of Contents @@ -14,38 +14,39 @@ - [Configuration](#configuration) - [Required Configuration](#requiredConfiguration) - [Optional Configuration](#optionalConfiguration) - - [Module Enabled](#moduleEnabled) - - [Module Mode](#moduleMode) - - [Blocking Score](#blockingScore) - - [Send Page Activities](#sendPageActivities) - - [Send Block Activities](#sendBlockActivities) - - [Logger Severity](#loggerSeverity) - - [Sensitive Routes](#sensitiveRoutes) - - [Enforced Specific Routes](#enforcedSpecificRoutes) - - [Monitored Specific Routes](#monitoredSpecificRoutes) - - [Filter By Route](#filterByRoute) - - [Sensitive Headers](#sensitiveHeaders) - - [IP Headers](#ipHeaders) - - [First Party Enabled](#firstPartyEnabled) - - [CD First Party Enabled](#CDFirstPartyEnabled) - - [Custom Request Handler](#customRequestHandler) - - [Additional Activity Handler](#additionalActivityHandler) - - [Enrich Custom Parameters](#enrichCustomParams) - - [CSS Ref](#cssRef) - - [JS Ref](#jsRef) - - [Custom Logo](#customLogo) - - [Secured PXHD cookie](#securedpxhd) - - [Proxy Support](#proxySupport) - - [Custom Cookie Header](#customCookieHeader) - - [Filter Traffic by User Agent](#filterByUserAgent) - - [Filter Traffic by IP](#filterByIP) - - [Filter Traffic by HTTP Method](#filterByMethod) - - [Test Block Flow on Monitoring Mode](#bypassMonitorHeader) - - [CSP Enabled](#cspEnabled) - - [CSP Policy Refresh Interval](#cspPolicyRefreshIntervalMinutes) - - [CSP Invalidate Policy Interval](#cspNoUpdatesMaxIntervalMinutes) - - [Login Credentials Extraction](#loginCredentialsExtraction) - - [JWT](#JWT) + - [Module Enabled](#moduleEnabled) + - [Module Mode](#moduleMode) + - [Blocking Score](#blockingScore) + - [Send Page Activities](#sendPageActivities) + - [Send Block Activities](#sendBlockActivities) + - [Logger Severity](#loggerSeverity) + - [Sensitive Routes](#sensitiveRoutes) + - [Enforced Specific Routes](#enforcedSpecificRoutes) + - [Monitored Specific Routes](#monitoredSpecificRoutes) + - [Filter By Route](#filterByRoute) + - [Sensitive Headers](#sensitiveHeaders) + - [IP Headers](#ipHeaders) + - [First Party Enabled](#firstPartyEnabled) + - [CD First Party Enabled](#CDFirstPartyEnabled) + - [Custom Request Handler](#customRequestHandler) + - [Additional Activity Handler](#additionalActivityHandler) + - [Enrich Custom Parameters](#enrichCustomParams) + - [CSS Ref](#cssRef) + - [JS Ref](#jsRef) + - [Custom Logo](#customLogo) + - [Secured PXHD cookie](#securedpxhd) + - [Proxy Support](#proxySupport) + - [Custom Cookie Header](#customCookieHeader) + - [Filter Traffic by User Agent](#filterByUserAgent) + - [Filter Traffic by IP](#filterByIP) + - [Filter Traffic by HTTP Method](#filterByMethod) + - [Test Block Flow on Monitoring Mode](#bypassMonitorHeader) + - [CSP Enabled](#cspEnabled) + - [CSP Policy Refresh Interval](#cspPolicyRefreshIntervalMinutes) + - [CSP Invalidate Policy Interval](#cspNoUpdatesMaxIntervalMinutes) + - [Login Credentials Extraction](#loginCredentialsExtraction) + - [JWT](#JWT) + - [CORS support](#px_cors_support) - [Code Defender Middleware - cdMiddleware](#cdMiddleware) - [Advanced Blocking Response](#advancedBlockingResponse) - [Multiple App Support](#multipleAppSupport) @@ -853,6 +854,85 @@ const pxConfig = { } ``` +#### CORS Support + +Enable CORS support for the enforcer. This will allow the enforcer to filter out preflight requests and to add CORS headers to block responses. +This will ensure responses are not blocked by the browser. +CORS support is enabled by default. + +`px_cors_support_enabled` - Enable CORS support for the enforcer. + +**Default:** `false` + +`px_cors_custom_preflight_handler` - Custom preflight handler. This function will be called for preflight requests and returns response that will return to the client. + +```js +// Example +const pxConfig = { + ... + px_cors_custom_preflight_handler: function(request) { + const response = { + status: '204', + }; + + response.headers = { + 'Access-Control-Allow-Origin': req.headers['origin'] || '*', + 'Access-Control-Allow-Methods': req.method, + 'Access-Control-Allow-Headers': req.headers['access-control-request-headers'], + 'Access-Control-Allow-Credentials': 'true', + 'Access-Control-Max-Age': '86400', + }; + + return response; + }; +} +``` + +`px_cors_preflight_request_filter_enabled` - Filter out preflight requests from validation flow. + +**Default:** false + +Enable CORS support for the enforcer: +``` JS +const pxConfig = { + ... + px_cors_support_enabled: true, + px_cors_preflight_request_filter_enabled: true, + ... +}; +``` + +The default CORS policy when blocking a request is as follows: +``` JS +Access-Control-Allow-Origin: request origin +Access-Control-Allow-Credentials: true +``` + +The default CORS policy can be overridden by setting the following properties: + +`px_cors_create_custom_block_response_headers` + +Synchronous function supplied by the customer which gets the original request and returns an array of custom headers to be added to the block response. +Return type should be an array of objects as follows: + +```js +// Example +const pxConfig = { + ... + px_cors_create_custom_block_response_headers: function(request) { + return { + 'Access-Control-Allow-Origin': 'test_custom', + 'Access-Control-Allow-Methods': 'GET, POST, OPTIONS', + 'Access-Control-Allow-Headers': 'Content-Type, Authorization', + 'Access-Control-Allow-Credentials': 'test_custom' + } + }; + ... +}; +``` + +**Default:** `null` + ## Code Defender Middleware - cdMiddleware Code Defender's middleware to handle the enforcement of CSP headers on responses returned to the client. @@ -972,7 +1052,7 @@ server.use('/app2', app1Router); server.listen(8081, () => { console.log('server started'); }); -``` +`` ## Additional Information diff --git a/lib/pxenforcer.js b/lib/pxenforcer.js index 2118f02..3cc2584 100644 --- a/lib/pxenforcer.js +++ b/lib/pxenforcer.js @@ -4,7 +4,7 @@ const { PxEnforcer, PxCdFirstParty } = require('perimeterx-node-core'); const PxExpressClient = require('./pxclient'); const PxCdEnforcer = require('./pxcdenforcer'); -const MODULE_VERSION = 'NodeJS Module v7.5.0'; +const MODULE_VERSION = 'NodeJS Module v7.6.0'; const MILLISECONDS_IN_MINUTE = 60000; function parseCookies(req, res) { diff --git a/package.json b/package.json index e378570..6f73f9a 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "perimeterx-node-express", - "version": "7.5.0", + "version": "7.6.0", "description": "PerimeterX Express.js middleware to monitor and block traffic according to PerimeterX risk score", "main": "index.js", "directories": { @@ -31,7 +31,7 @@ "dependencies": { "axios": "^0.21.1", "cookie-parser": "^1.4.1", - "perimeterx-node-core": "^3.8.0" + "perimeterx-node-core": "^3.9.0" }, "devDependencies": { "chai": "^4.3.6", diff --git a/px_metadata.json b/px_metadata.json index 4cf9256..56dc4ea 100644 --- a/px_metadata.json +++ b/px_metadata.json @@ -1,5 +1,5 @@ { - "version": "7.5.0", + "version": "7.6.0", "supported_features": [ "additional_activity_handler", "advanced_blocking_response", @@ -11,6 +11,7 @@ "block_page_js_challenge", "bypass_monitor_header", "client_ip_extraction", + "cors_support", "csp_support", "css_ref", "cookie_v3", From e74ec323b2f192eac73f2d49a88d066c74403efb Mon Sep 17 00:00:00 2001 From: chenzimmer2 Date: Sun, 29 Jan 2023 23:18:37 +0200 Subject: [PATCH 2/2] Fixed readme --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 6f40099..2bffa8c 100644 --- a/README.md +++ b/README.md @@ -876,9 +876,9 @@ const pxConfig = { }; response.headers = { - 'Access-Control-Allow-Origin': req.headers['origin'] || '*', - 'Access-Control-Allow-Methods': req.method, - 'Access-Control-Allow-Headers': req.headers['access-control-request-headers'], + 'Access-Control-Allow-Origin': request.headers['origin'] || '*', + 'Access-Control-Allow-Methods': request.method, + 'Access-Control-Allow-Headers': request.headers['access-control-request-headers'], 'Access-Control-Allow-Credentials': 'true', 'Access-Control-Max-Age': '86400', }; @@ -921,10 +921,10 @@ const pxConfig = { ... px_cors_create_custom_block_response_headers: function(request) { return { - 'Access-Control-Allow-Origin': 'test_custom', + 'Access-Control-Allow-Origin': request.headers['origin'], 'Access-Control-Allow-Methods': 'GET, POST, OPTIONS', 'Access-Control-Allow-Headers': 'Content-Type, Authorization', - 'Access-Control-Allow-Credentials': 'test_custom' + 'Access-Control-Allow-Credentials': 'true' } }; ...