Skip to main content
Information Security

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

5
  • Please note that CORS is not a security feature. Anybody could just decide to circumvent CORS by not using a browser. It's like a paper sign at the back door that says "Please come up front". It's nice, it's helpful, but you still need to bolt that door, because a paper sign won't stop a burglar. Commented May 18, 2021 at 6:02
  • @nvoigt I respectfully disagree. I could do all my online banking via Curl and a command-line javascript engine, but I choose to do my online banking via an up-to-date browser instead. Why? Because browsers have built-in security features like Same-Origin Policy that help protect me. The fact that, yes, someone could attack the back with Curl does not change the fact that I am choosing to use a browser and I am getting real protection from CORS. Commented May 18, 2021 at 14:04
  • But CORS only asks the server whether it would accept your call. Any malicious attacker would obviously set up a server to accept your call no matter what. And anybody attacking a server would not use a browser. So what exactly does CORS protect you against? Which attack vector is closed due to CORS? Commented May 18, 2021 at 14:07
  • @nvoigt Same-Origin Policy is actually what's protecting against, say your billsblog.com tab attacking your banking tab -- either trying to make changes or read data. CSRF tokens also solve the same problem, but SOP works regardless of whether the server has CSRF tokens. CORS tells the browser when it's ok to weaken or ignore Same-Origin Policy, so technically CORS isn't protecting anything, but SOP is! Commented May 18, 2021 at 14:27
  • It seems to me that both the backend and the frontend are potentially vulnerable to CSRF attacks. So maybe you need protection in both? Commented Mar 25 at 20:00