Pular para o conteúdo
Echo

CORS

O middleware CORS implementa a especificação CORS. CORS fornece controles de acesso entre domínios para servidores web, permitindo transferências de dados seguras entre domínios.

Todo o middleware principal fica no pacote middleware:

import "github.com/labstack/echo/v5/middleware"

Uso

Seção intitulada “Uso”
e.Use(middleware.CORS("https://example.com", "https://subdomain.example.com"))

Configuração customizada

Seção intitulada “Configuração customizada”
e := echo.New()
e.Use(middleware.CORSWithConfig(middleware.CORSConfig{
  AllowOrigins: []string{"https://labstack.com", "https://labstack.net"},
  AllowHeaders: []string{echo.HeaderOrigin, echo.HeaderContentType, echo.HeaderAccept},
}))

Configuração

Seção intitulada “Configuração”
type CORSConfig struct {
  // Skipper defines a function to skip middleware.
  Skipper Skipper


  // AllowOrigins determines the value of the Access-Control-Allow-Origin response
  // header, defining the list of origins that may access the resource.
  //
  // An origin consists of: scheme + "://" + host + optional ":" + port.
  // A wildcard may be used, but it must be set explicitly as []string{"*"}.
  // Example: `https://example.com`, `http://example.com:8080`, `*`.
  //
  // Security: use extreme caution when handling the origin and carefully validate any
  // logic. Attackers may register hostile domain names. See
  // https://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
  //
  // Mandatory.
  AllowOrigins []string


  // UnsafeAllowOriginFunc is an optional custom function to validate the origin. It
  // takes the origin and returns the allowed origin, whether it is allowed, and an
  // error (returned immediately by the handler). If set, AllowOrigins is ignored.
  //
  // Security: use extreme caution when handling the origin. Attackers may register
  // hostile (sub)domain names.
  //
  // Sub-domain check example:
  //  UnsafeAllowOriginFunc: func(c *echo.Context, origin string) (string, bool, error) {
  //    if strings.HasSuffix(origin, ".example.com") {
  //      return origin, true, nil
  //    }
  //    return "", false, nil
  //  }
  //
  // Optional.
  UnsafeAllowOriginFunc func(c *echo.Context, origin string) (allowedOrigin string, allowed bool, err error)


  // AllowMethods determines the value of the Access-Control-Allow-Methods response
  // header, used in response to a preflight request.
  //
  // Optional. Defaults to GET, HEAD, PUT, PATCH, POST, DELETE. If left empty, the
  // middleware fills the preflight Access-Control-Allow-Methods header from the
  // `Allow` header that the router set into the context.
  AllowMethods []string


  // AllowHeaders determines the value of the Access-Control-Allow-Headers response
  // header, indicating which HTTP headers can be used in the actual request.
  //
  // Optional. Defaults to an empty list.
  AllowHeaders []string


  // AllowCredentials determines the value of the Access-Control-Allow-Credentials
  // response header, indicating whether the response can be exposed when the
  // credentials mode is true.
  //
  // Optional. Default value false, in which case the header is not set.
  //
  // Security: avoid using AllowCredentials = true together with AllowOrigins = *.
  AllowCredentials bool


  // ExposeHeaders determines the value of Access-Control-Expose-Headers, the list of
  // headers clients are allowed to access.
  //
  // Optional. Default value []string{}, in which case the header is not set.
  ExposeHeaders []string


  // MaxAge determines the value of the Access-Control-Max-Age response header, how long
  // (in seconds) the results of a preflight request can be cached. The header is set
  // only if MaxAge != 0; a negative value sends "0", instructing browsers not to cache.
  //
  // Optional. Default value 0 — the header is not sent.
  MaxAge int
}

Configuração padrão

Seção intitulada “Configuração padrão”
// Effective defaults applied when fields are left unset.
CORSConfig{
  Skipper:      DefaultSkipper,
  AllowMethods: []string{http.MethodGet, http.MethodHead, http.MethodPut, http.MethodPatch, http.MethodPost, http.MethodDelete},
}

Segurança

Seção intitulada “Segurança”

Um origin curinga (AllowOrigins: []string{"*"}) combinado com AllowCredentials: true é perigoso: ele refletiria o Origin de qualquer requisição em Access-Control-Allow-Origin, permitindo que uma página de qualquer site faça requisições cross-origin com credenciais à sua API (veja Exploiting CORS misconfigurations).

O Echo recusa essa combinação em vez de construir um middleware inseguro: CORS e CORSWithConfig causam panic, e CORSConfig.ToMiddleware() retorna um erro. Para permitir requisições com credenciais, liste explicitamente as origens confiáveis:

e.Use(middleware.CORSWithConfig(middleware.CORSConfig{
  AllowOrigins:     []string{"https://example.com"},
  AllowCredentials: true,
}))

Para validação dinâmica de origem, use UnsafeAllowOriginFunc e valide cada origem com cuidado — atacantes podem registrar nomes de (sub)domínio falsos ou hostis.