Skip to main content

Posts

Showing posts from April 13, 2021

CORS Best Practices

Cross Origin Resource Sharing (CORS) best practices Free for all A common example is if you own a website that displays content for the public, that is not behind paywalls, or requiring authentication or authorization – you should be able to set Access-Control-Allow-Origin: * to its resources. The * value is a good choice in cases when: No authentication or authorization is required The resource should be accessible to a wide range of users without restrictions The origins & clients that will access the resource is of great variety, you don’t have knowledge of it or you simply don’t care A dangerous prospect of such configuration is when it comes to content served on private networks (i.e. behind firewall or VPN). When you are connected via a VPN, you have access to the files on the company’s network: Oversimplification of VPNs Now, if an attacker hosts as website dangerous.com, which contains a link to a file within the VPN, they can (in theory) create a script on their website th