Using the API securely (v2)

Sorry if this is a dumb question. I’m new to servers.

Let’s say I’m testing caddy locally. Can any webpage just insert a

fetch('http://localhost:2019/load', { method: 'POST', body: someJSON});

and mess with my config? Is there something i should do to make sure that can’t happen? Is it just a matter of only ever running caddy in a container or setting up some kind of auth for the config endpoint or …?

Welcome back!

Good question. You should try it! :wink:

Spoiler below:

The answer is no, because browsers enforce CORS. Unless there is a bug in the web browser, they can't access Caddy's config endpoints because they're on a different host ("origin"). Further, production web servers don't typically run web browsers, too. Of course, not just web sites can try to connect to sockets -- any code running on the local machine can. So in general, a standard threat model assumes that arbitrary code isn't running on your machine; i.e. don't run untrusted code, and if it is (like web pages), sandbox it. Once your machine is running arbitrary, unsandboxed code -- it's game over, no matter what protections we try to put in place. Still, if you have to do this, you can configure Caddy to strictly enforce origin checking, and even use a secret origin value if you wish. But 99.99% of the time, this is not necessary.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.