It's not unusual to use regex for Referer or Origin headers validation.
Often it is needed for setting the X-Frame-Options header (ClickJacking protection) or Cross-Origin Resource Sharing.
The most common errors with this configuration are:
- regex errors;
- allow third-party origins.
Notice: by default, Gixy doesn't check regexes for third-party origins matching. You can pass a list of trusted domains by using the option
--origins-domains example.com,foo.bar
"Eazy"-breezy:
- you have to find all the
ifdirectives that are in charge of$http_originor$http_referercheck; - make sure your regexes are a-ok.
Misconfiguration example:
if ($http_origin ~* ((^https://www\.yandex\.ru)|(^https://ya\.ru)$)) {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Credentials' 'true';
}TODO(buglloc): cover typical regex-writing problems TODO(buglloc): Regex Ninja?
- fix your regex or toss it away :)
- if you use regex validation for
Refererrequest header, then, possibly (not 100%), you could use ngx_http_referer_module; - sometimes it is much better to use the
mapdirective without any regex at all.