How to Secure Nginx CORS Settings to Meet Chinese Security Standards

According to the Chinese security classification (等保) requirements, allowing cross‑origin requests without proper validation is a security risk that must be remedied.

The vulnerability appears when the server does not inspect the Origin request header; any origin can access the resource, which can be confirmed by sending a request with a custom Origin header and receiving a successful response.

Reproduction example:

curl -H 'Origin:http://test.com' http://192.168.15.32:80

Because the request succeeds, the server is not restricting origins and is vulnerable.

Fix method

Define a map directive in the Nginx configuration to create a whitelist of allowed origins. The map sets a variable $allow_cors to 0 for disallowed origins and 1 for allowed ones. In the server block, return 403 when the variable is 0 and add the appropriate CORS response headers for allowed origins.

http {
    ...
    # whitelist origins, return 0 for others
    map $http_origin $allow_cors {
        default 1;
        "~^https?://.*?\.tripwolf\.com.*$" 1;
        "~^(https?://(dmp\.finerice\.cn)?)$" 1;
        "~*" 0;
    }
    server {
        # allow the origin that passed the whitelist
        add_header Access-Control-Allow-Origin $http_origin;
        add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
        add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept";
        location / {
            if ($allow_cors = 0) {
                return 403;
            }
            root /mnt/data;
        }
    }
}

Verification method

Use tools such as Postman to send requests with different Origin values and observe whether the server returns a normal response or a 403 error. If CORS is not required at all, simply remove the add_header Access-Control-Allow-Origin (and related) directives to avoid the complexity.