Menu
We are integrating two systems in an intranet, using CORS as a means of making AJAX calls across the two domains.
Is this considered bad practice? Is CORS in general considered bad practice?
953
If implemented badly, CORS can lead to major security risk like leaking of API keys, other users data or even much more. A very great example of security risk of CORS misconfiguration is this.
The vulnerability is a mechanism for accessing data of other origins through AJAX[1] requests. Sites use CORS to bypass the SOP[2] and access other ORIGIN resources.
CORS misconfigurations can also give attackers access to internal sites behind the firewall using cross-communication types of attacks. Such attacks can succeed because developers disable CORS security for internal sites because they mistakenly believe these to be safe from external attacks.
The CORS specification is complicated with many specifics but using the * wildcard won't harm. And when you need credentials also, you'll see the error. Just remember to not use it for non-public APIs.
CORS isn’t bad practice. It is supported on all major browsers, and more and more APIs are supporting it. In fact, if you have a public resource that is not behind a firewall, it is safe to put the Access-Control-Allow-Origin: * header on the resource.
But there is some confusion over the role of CORS on a server. CORS should only dictate the cross-origin policy for a particular resource. In other words, the CORS headers are only meant to indicate whether requests from different origins are allowed. I think the confusion comes in because servers sometimes use CORS to dictate security policy as well. CORS is not security. If servers have resources that need to be protected from certain users, it is not safe to rely solely on the Origin header to enforce this. Your server needs some other mechanism for security (such as OAuth2 and CSRF protection).
67
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
