loading...

re: Understanding CORS VIEW POST

TOP OF THREAD FULL DISCUSSION
re: Do we need CSRF protection if CORS is disabled (now allowed from other domains) ? For me it seems logic that is no need for CSRF protection if CORS...
 

You should protect against CSRF on any inputs that can change state imo.

 
  • CSRF is Cross-site request forgery
  • CORS is Cross-origin resource sharing

If no one from another origin is able to make requests to your site (CORS disabled),
then CSRF is redundant imo.

But that's not what CORS does. Re-read the warning in the article.

code of conduct - report abuse