0

Is is safe to do app.use(cors()) only. I am using cors package from npm

Or, should anything needs to be configured keeping security in mind.

I am building a express api that is used for:

  • fetching data through GET requests to api endpoints.
  • has signup and login functionality
  • send API key through headers (will be implemented)

What should be the ideal cors configuration for this api considering security?

I can understand there is lot of resource on cors in the internet. But I cannot find anything specifically tells about configuring cors without compromising security.

Curious Learner
  • 776
  • 12
  • This is a good start (more on the offensive side): https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties – jub0bs Feb 24 '22 at 09:52
  • @jub0bs Can you help me with the configuration – Curious Learner Feb 24 '22 at 09:53
  • @jub0bs I am asking the question from a programmer's point of view... how to implement them in cors... – Curious Learner Feb 24 '22 at 09:54
  • Enabling CORS with a wildcard allows Javascript from any web page in the world to access your server. Whether or not that is a security problem depends upon your specific situation (which is not something that is explained here such that we can offer any ideas on that). – jfriend00 Feb 24 '22 at 11:02
  • @jfriend00 I posted the question as this https://stackoverflow.com/questions/71247652/how-to-set-cors-header-on-my-api-server-to-allow-requests-from-localhost was closed. Please refer to this for more spefic needs – Curious Learner Feb 25 '22 at 10:49
  • A question needs to stand on its own and not rely on reading some other question to understand it. I stand by my previous comment that a CORs wildcard allows Javascript in a web page from any domain to access your API. If that's fine with you, then that's not a security issue. If that's not fine with you, then it's a security issue. That is entirely up to you what you want to allow or prevent. – jfriend00 Feb 25 '22 at 15:26

0 Answers0