Challenge - 5 Problems
CORS Configuration Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
💻 Command Output
intermediate2:00remaining
What is the effect of this nginx CORS configuration?
Given this nginx snippet, what will be the value of the
Access-Control-Allow-Origin header in the response?Nginx
location /api/ {
add_header Access-Control-Allow-Origin "https://example.com";
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range";
add_header Access-Control-Max-Age 1728000;
add_header Content-Type "text/plain; charset=UTF-8";
add_header Content-Length 0;
return 204;
}
}Attempts:
2 left
💡 Hint
Remember that add_header outside if applies to all requests unless overridden.
✗ Incorrect
The add_header directive outside the if block applies to all requests matching /api/. The if block only adds headers for OPTIONS requests but does not remove the Access-Control-Allow-Origin header set outside.
❓ Configuration
intermediate2:00remaining
Which nginx config snippet correctly allows CORS from any origin?
Select the nginx configuration that correctly sets CORS headers to allow any origin to access resources.
Attempts:
2 left
💡 Hint
The header name and value must be quoted properly and the 'always' flag ensures headers are added on all response codes.
✗ Incorrect
Option A correctly quotes the header name and value and uses 'always' to ensure the header is added even on error responses. Option A and C are invalid syntax. Option A misses the 'always' flag, so header may not be added on some responses.
❓ Troubleshoot
advanced2:00remaining
Why does this nginx CORS config fail to allow credentials?
This nginx config snippet is intended to allow CORS with credentials, but browsers still block requests. Why?
Nginx
add_header Access-Control-Allow-Origin "*"; add_header Access-Control-Allow-Credentials "true";
Attempts:
2 left
💡 Hint
Check the CORS specification about credentials and allowed origins.
✗ Incorrect
The CORS specification forbids using '*' as Access-Control-Allow-Origin when Access-Control-Allow-Credentials is true. The origin must be explicit.
🔀 Workflow
advanced2:00remaining
What is the correct order to configure CORS in nginx for a REST API?
Arrange these steps in the correct order to properly configure CORS in nginx for a REST API.
Attempts:
2 left
💡 Hint
Think about what headers must be sent always and what response is needed for preflight.
✗ Incorrect
First set the origin header to allow the client. Then handle OPTIONS preflight with 204. The methods and headers allowed must be declared in headers sent for preflight and actual requests.
✅ Best Practice
expert3:00remaining
Which nginx CORS configuration is best practice for security and flexibility?
Choose the nginx configuration snippet that follows best practices for CORS by allowing only specific origins dynamically and supporting credentials.
Attempts:
2 left
💡 Hint
Dynamic origin matching with regex and conditional headers is more secure than wildcard.
✗ Incorrect
Option D uses a regex to allow only trusted origins dynamically and sets credentials properly. Option D uses wildcard origin with credentials which is disallowed. Option D allows any origin dynamically without restriction, which is insecure. Option D disables credentials and restricts to one origin, less flexible.