Thanks for your suggestion. Sure, I will add that I know it's a dangerous practice for writing origin:* in production. I just meant to describe how it works.
If you’re allowing origin:* in production, you’re literally allowing any script from any domain to call your server. Which for some malicious user’s intention, they may write some malicious script and hijack your system’s data security.
The way to fix it is simple, just list down the domain that you would like to whitelist instead of using the * wildcard. If you listed down the domains instead of using the wildcard, your server will only allow CORS for the whitelisted domains while reject others that is not in the list.
Seng is right. I'll add that Access-Control-Allow-Origin is only allowed to be a * for unauthenticated requests. The browser will ignore Access-Control-Allow-Credentials: true if your allow-origins header is set to a wildcard. However, this leaves you open to distributed brute force login attacks. The right thing to do would be to check the Referer/Origin header against a known whitelist of sites you allow to access, and set your Access-Control-Allow-Origin header accordingly.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Maybe add a note to the article about how dangerous
origin: "*"is outside of an example snippet?Hi Ari,
Thanks for your suggestion. Sure, I will add that I know it's a dangerous practice for writing
origin:*in production. I just meant to describe how it works.Really appreciate your reply !
Could you please explain how to fix this and why this is dangerous?
If you’re allowing origin:* in production, you’re literally allowing any script from any domain to call your server. Which for some malicious user’s intention, they may write some malicious script and hijack your system’s data security.
The way to fix it is simple, just list down the domain that you would like to whitelist instead of using the * wildcard. If you listed down the domains instead of using the wildcard, your server will only allow CORS for the whitelisted domains while reject others that is not in the list.
Hope it helps. :)
Seng is right. I'll add that
Access-Control-Allow-Originis only allowed to be a*for unauthenticated requests. The browser will ignoreAccess-Control-Allow-Credentials: trueif your allow-origins header is set to a wildcard. However, this leaves you open to distributed brute force login attacks. The right thing to do would be to check the Referer/Origin header against a known whitelist of sites you allow to access, and set your Access-Control-Allow-Origin header accordingly.