DEV Community


Discussion on: Is it safe to use Google APIs from Client-Side Javascript πŸ€” ❓

exadra37 profile image
Paulo Renato • Edited

so people cant bypass CORS from postman and such things.

Unfortunately they can be bypassed:

In my case, I forked the repo and added a configuration option that allows you to spoof the Origin header, which defaults to true. You can check it out here. I also hosted this on Heroku as (nothing to see there πŸ˜€).

So basically you cannot spoof it directly with JavaScript in the browser, but you can do it in a programmatically way.

Regarding Postman I am not aware if it allows or not to fake the origin header.

The lesson to take from here is that the CORS is a good protection on the browser side but not that hard to bypass.

The WHO vs WHAT Is Accessing the API Server

A usual misconception among developers it's WHO vs WHAT is accessing the API server.

For a better understanding off the difference between WHO vs WHAT is accessing your API server, I recommend you to read this section of my article, but I will extract here some lines of it:

The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.

The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?

Without going into more detail, I want to say that any API server will have a hard time to figure out the WHAT bit, that will misuse and abuse of WHO the API server thinks is talking with.

vamsikrish profile image
Vamsi Krishna • Edited

I know we can bypass CORS from tools like postman since it is browser based protection only so I wanted to say to add authentication since cors will be bypassed from other means of making calls. Maybe my framing of sentence made you think I was saying cors can’t be bypassed

Thread Thread
exadra37 profile image
Paulo Renato

Maybe my framing of sentence made you think I was saying cors can’t be bypassed

Yes, it made me thought that you believed that CORS was enough to protect the API.

Forem Open with the Forem app