Reputation: 1600
Is Access-Control-Allow-Origin: * unsafe?
My application's backend is an API serving JSON content. I've found the need to apply the following Response Header so that it allows requests from anywhere:
Access-Control-Allow-Origin: *
Is this unsafe?
How else do you create a public API without running into the restricted cross-domain origin policy? I need to allow both GET and POST requests to my API endpoints.
Upvotes: 2
Views: 852
Answers (1)
Reputation: 191729
Using * for Access-Control-Allow-Origin is practically a necessity if you want to expose your API. It is inherently insecure, and even specifying domains can cause problems because it would be simple for someone to spoof the Origin header getting around your whitelist anyway.
In other words, using * is not much less secure than whitelisting domains.
Instead, you need to make sure that you have other security measures in place to make sure that requests are properly authorized as needed -- especially write requests.
Upvotes: 4
Related Questions
- Origin is not allowed by Access-Control-Allow-Origin
- Understanding AJAX CORS and security considerations
- What security risks exist when setting Access-Control-Allow-Origin to accept all domains?
- Is CORS a secure way to do cross-domain AJAX requests?
- Access-control-allow-origin not working with ajax in a POST request
- ajax CORS issue of with a Access-Control-Allow-Origin regexp value
- Disable cross-domain ajax request
- Access-Control-Allow-Origin syntax
- How is CORS safer than no cross domain restrictions? It seems to me that it can be used maliciously
- Cross domain AJAX call and Access-Control-Allow-Origin