DEV Community


Discussion on: Avoiding CORS errors on localhost (in 2020)

patarapolw profile image
Pacharapol Withayasakpunt • Edited
  1. What actual security risks on localhost do you have to accept if you disable CORS?
  2. About cors-anywhere, you mean if I need to consume public APIs, right? It makes no sense to send data from localhost to online otherwise.
    • Indeed, another option is open your own Express server, with node-fetch or axios consuming public APIs. There is no CORS on the server side.
    • I don't think you should proxy your Express server with cors-anywhere; instead, set up proxy properly in Webpack-dev-server.
andypotts profile image
Andy Potts Author • Edited

Good points, I should have made this more clear in my post.

  1. If you're developing on localhost using APIs you know and trust there are no security risks. If you're browsing the web with CORS disabled you're potentially leaving yourself open to attacks.

  2. Yes, if you're consuming public APIs. The CORS anywhere public demo was supposed to be a quick alternative solution. You might be right about adding a proxy within webpack Dev server, I'll take a look at that as a third option!