Skip to content
loading...

re: Is it safe to use Google APIs from Client-Side Javascript πŸ€” ❓ VIEW POST

TOP OF THREAD FULL DISCUSSION
re: I wouldn't use SECRETS on the Client-Side since they risk exposing for the end-users. You can write a wrapper in Back-End stack like nodejs, c# etc...
 

so people cant bypass CORS from postman and such things.

Unfortunately they can be bypassed:

medium.com/netscape/hacking-it-out...

In my case, I forked the repo and added a configuration option that allows you to spoof the Origin header, which defaults to true. You can check it out here. I also hosted this on Heroku as cors-escape.herokuapp.com (nothing to see there πŸ˜€).

So basically you cannot spoof it directly with JavaScript in the browser, but you can do it in a programmatically way.

Regarding Postman I am not aware if it allows or not to fake the origin header.

The lesson to take from here is that the CORS is a good protection on the browser side but not that hard to bypass.

The WHO vs WHAT Is Accessing the API Server

A usual misconception among developers it's WHO vs WHAT is accessing the API server.

For a better understanding off the difference between WHO vs WHAT is accessing your API server, I recommend you to read this section of my article, but I will extract here some lines of it:

The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.

The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?

Without going into more detail, I want to say that any API server will have a hard time to figure out the WHAT bit, that will misuse and abuse of WHO the API server thinks is talking with.

 

I know we can bypass CORS from tools like postman since it is browser based protection only so I wanted to say to add authentication since cors will be bypassed from other means of making calls. Maybe my framing of sentence made you think I was saying cors can’t be bypassed

Maybe my framing of sentence made you think I was saying cors can’t be bypassed

Yes, it made me thought that you believed that CORS was enough to protect the API.

code of conduct - report abuse