DEV Community

Discussion on: What was your win this week?

Collapse
 
orubel profile image
Owen Rubel • Edited

This week, I...

realized that everyone is using CORS wrong in that they have a single 'allowedOrigins' group that allows access to all endpoints.

This does not take into consideration public endpoints vs private endpoints and is just allowing all those origins through to EVERYTHING.

I solved this with networkGroups. This allows me to create 'public','private','admin',etc and associate 'allowedOrigins' for each.

I can then also associate endpoints to said to make sure allowedOrigins aren't just getting a blank check for access.

apichaining.blogspot.com/