Bitdefender Encrypted Web Scan blocks Same-Site Api Calls

Question

I have a simple secure same-site, cross-origin setup like:

Frontend: https://www.example.com API: https://api.example.com

On both domains we use SSL certificates issued by Amazon (AWS ACM)

Some of our customers have Bit Defender Total Security installed, which block api calls to our own API, even a simple GET call that doesn't involve any fancy credentials/cookies exchange.

I found out that Bitdefender removes the access-control-allow-origin header in the actual XHR request; the OPTIONS call to the api still has the header correctly.

When I disable the Feature "Online Threat Prevention's Web Protection > Encrypted Web Scan" in Bitdefender and restart the Chrome its working as expected and the GET call to api returns correctly access-controll-allow-origin=https://www.example.com

The issue is also not happening if the api is on the same domain, like https://www.example.com/api, which suggests that this is also a CORS related behaviour of Bitdefender.

Reading the description of this feature I thought maybe bitdefender doesn't like our Certificates and I replaced our AWS Certs with LetsEncrypt Certs; not even a wildcard cert; still same issue.

I also noticed that Bitdefender replaces our cert with their own local cert, to act as a man-in-the-middle, probably to scan the requests I suppose.

What I don't understand is that for example www.imdb.com has a similar setup with their api.graphql.imdb.com and they also use AWS Certs.

But for some reasons their certificates don't get replaced and their access-controll-allow-origin header doesn't get removed in their api requests.

The only differences I could spot so far between us and IMDB is that they use TLS 1.3 in their requests and we use TLS 1.2 (via AWS API Gateway)

The online help I found so far only suggest to ask the customer to switch of that feature in Bitdefender on their site, which I find hard to accept if this kind of setup works for IMDB (well, maybe they are whitelisted by Bitdefender)

I also reported it to Bitdefender as a "False Positive" thread identification, but nothing came back from that.

Any other ideas what i can look for?

Answer 1

Bitdefender Team was very helpful. It turned out that when Bitdefender is active it downgrades to http/1.1 protocol. Our server did not return the "Access-Control-Allow-Origin" header for http/1 but only for http/2. I could easily debug this even without Bitdefender by using curl with --http1.1 flag active, or starting Chrome with --disable-http2. We are using AWS API Gateway in our setup and after some more googling I found out that AWS is parsing the request headers slighlty different for http/1.

headers.Origin vs. headers.origin

We are using the origin value to create the correct response headers, and because we where expecting lowercase we basically couldn't find the value. Yes,just one letter which took me days. By simple adding this fallback it worked:

const origin = headers["origin"] || headers ["Origin"]

Thanks Bitdefender for the hint!