Public Read-only Gateway XSS Mitigation

thesoulkiller · March 20, 2022, 6:06pm

Hello there,

I have a public ipfs read-only gateway node, which I’m using for serving only the static files like json/jpg/mp4.
I’ve read about the possibility of XSS attacks on my public gateway so my users may be affected from it.
I’ve looked into Address IPFS on the Web | IPFS Docs
but I think I don’t need subdomain gateways to mitigate the issue because I’m not hosting any web applications or websites from my gateway.

My current node configuration is like this but I can’t be sure if I’m doing it right.

  "Gateway": {
    "HTTPHeaders": {
      "Access-Control-Allow-Headers": [
        "X-Requested-With",
        "Range",
        "User-Agent"
      ],
      "Access-Control-Allow-Methods": [
        "GET"
      ],
      "Access-Control-Allow-Origin": [
        "https://ipfs.io"
      ]
    },
    "RootRedirect": "",
    "Writable": false,
    "PathPrefixes": [],
    "APICommands": [],
    "NoFetch": true,
    "NoDNSLink": false,
    "PublicGateways": {
      "dweb.link": {
        "UseSubdomains": true,
        "Paths": ["/ipfs", "/ipns"]
      }
    }
  },

Any clarification in this topic would be helpful.
Thanks !

Jorropo · March 20, 2022, 6:18pm

At this point, XSS isn’t even an issue.

If you aren’t hosting any app on the gateway I guess that mean you are only serving static files.
And gateways does not allow registering web workers that could modify the content, so the static files can’t be touched by the xss.
In other words, is an xss that can do nothing an issue ? (no it isn’t)

If you are using it to host an app, you are right, you need a subdomain based one.

thesoulkiller · March 20, 2022, 6:29pm

Thank you !
But how can I ensure that I’m only serving the static files in my local storage ?
Not some other CID from let’s say malicious IPFS node

Jorropo · March 20, 2022, 6:33pm

You can use the no fetch option in the config.

That means the IPFS gateway will only serve files present in it’s datastore and not download from the IPFS network (that require you to pin the files first, else they wont be present and it would fail).

thesoulkiller · March 20, 2022, 6:53pm

I understand thank you.

Just to understand correctly, if I were to serve files from another nodes then I should enforce site isolation. Let’s say I’ve registered my gateway at mypublicgateway.com and serving content at mypublicgateway.com/ipfs/<CID> path. In this case I just have to add the following to my gateway configuration, right ?

Gateway.PublicGateways '{
    "http://mypublicgateway.com": {
      "UseSubdomains": true,
      "Paths": ["/ipfs"]
    }
  }'

Jorropo · March 20, 2022, 9:46pm

I don’t know the details, I do everything using reverse proxy rewriting on my gateway.

xsukax · October 4, 2022, 2:54pm

Thank you … it’s a helpful topic

Topic		Replies	Views
What can be done to prevent XSS attacks against IPFS sites? Old FAQ	12	1070	May 23, 2017
Addressing IPFS gateways through a common URL Ecosystem	7	694	October 24, 2018
Public Gateway Operator Guide Help	10	2490	September 9, 2017
Can an ipfs gateway also be used to host a website?	3	175	January 15, 2024
Subdomain gateway's awareness of content-addressed relative URLs Ecosystem ipns , http-gateway , browsers	0	532	September 25, 2021

Public Read-only Gateway XSS Mitigation

Related Topics