This week, I...
realized that everyone is using CORS wrong in that they have a single 'allowedOrigins' group that allows access to all endpoints.
This does not take into consideration public endpoints vs private endpoints and is just allowing all those origins through to EVERYTHING.
I solved this with networkGroups. This allows me to create 'public','private','admin',etc and associate 'allowedOrigins' for each.
I can then also associate endpoints to said to make sure allowedOrigins aren't just getting a blank check for access.
apichaining.blogspot.com/
Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink.
Hide child comments as well
Confirm
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
This week, I...
realized that everyone is using CORS wrong in that they have a single 'allowedOrigins' group that allows access to all endpoints.
This does not take into consideration public endpoints vs private endpoints and is just allowing all those origins through to EVERYTHING.
I solved this with networkGroups. This allows me to create 'public','private','admin',etc and associate 'allowedOrigins' for each.
I can then also associate endpoints to said to make sure allowedOrigins aren't just getting a blank check for access.
apichaining.blogspot.com/