Headers

HTTP Response Headers:

Access-Control-Allow Origin

Set by the target origin and lists the allowed requesting origins. If outside of the requesting origins then the response will be empty.

If allowed then getting a victim to visit a crafted website link would allow you to steal all information on the site.

Access-Control-Allow-Credentials

The creds we sent are okay and the requested file is in the body. If the creds are not setup to be passed then the response will be blank. Cannot use this header if Allow-Origin is a wildcard.

Access-Control-Allow-Headers

This is sent back in response to the preflight and informs of the allowed custom headers.

Access-Control-Allow-Methods

This is sent back in response to the preflight and informs of the allowed HTTP request types.

Access-Control-Max-Age

This is sent back in response to the preflight and informs of the cached time to use.

Access-Control-Expose-Headers

This is sent back in response to the preflight and informs of the headers that can be accessed by the browser.

Origin

Contains the protocol, domain, and port of the origin.

Access-Control-Request-Method

Set in the Preflight to list the Method that is to be used in the CORS request.

Access-Control-Request-Headers

Set in the Preflight request and lists the non standard methods that are to be used in the CORS request.

Previousiframe NextWeb Hacking Procedures

Last updated 2 years ago