23 likes
·
73 reads
7 comments
CORS is in no way a critical component of web security. If anything, CORS is a major pain for web developers. CORS does not prevent unauthorized access, does not prevent data breaches and instead it bugs the web developers over nothng. Only web browsers respect CORS because CORS' major fault is that is a client-side "security" measure. This means that you can (very easily) use a client that does not follow the rules. The perfect example is Postman. So where is the security? Nowhere to be found.
Good afternoon sir,
Sir These are my tought on CORS as its aim is to allows data exchange only between whitelisted websites as specified by the server, which is designed to enhance security by restricting which domains can interact with certain APIs or resources. However, there are indeed methods to bypass CORS, such as using a proxy server or modifying headers with certain tools during development, which can help developers test their applications.
I have used the Swiggy real API, they have blocked all direct access by using CORS, developers often need to use server-side code to interact with the API instead of making these calls directly from the client-side. This not only complies with CORS but also helps maintain security by keeping API keys and credentials server-side, away from the client.
As for implementing authentication, CORS does not directly interfere with authentication mechanisms. Authentication and authorization can still be handled as usual via tokens, sessions, or other methods, which are then included in cross-origin requests once CORS policies allow these requests. The server that handles the request will still perform authentication checks regardless of the origin of the request, ensuring that access control is maintained.
Yes sir I know that CORS is like burden during development, but it also serves as a crucial part of securing applications by controlling access based on origins, which helps prevent unwanted or malicious interactions.
SANKALP HARITASH The whole point of investing time learning CORS as a developer is to achieve a better product, but one cannot. You are saying your "aim is to allow data exchangew between whitelisted websites", but that's the thing! CORS cannot whitelist!! Open postman, do direct queries and that's it, you're obtaining data and your Postman is not part of the whitelist. My point being: CORS is mostly a waste of time. CORS cannot stop any form of data theft because the server will volunteer the data every time, be it a whitelisted site or not.
Yes Sir you are right these tools like postman don't respect the rules implemented by CORS this is one of the limitation of CORS
SANKALP HARITASH Yes, and just by the existence of this possibility (tools that don't give a darn about CORS) is what makes CORS a pretty much useless feature. In the end CORS exists to annoy legitimate users of your API. That's it. Security where? Nowhere. Even web browsers have a way to turn off CORS. You don't even need Postman or anything else. Just run Chrome with security turned off.
So my point being: CORS doesn't work because it cannot deliver, and I believe your article is just following the trend of praising CORS when in fact there is nothing to praise. I get it, it is what all authors do. Still: It would be refreshing to read the real truth about CORS instead of the usual lies.
José Pablo Ramírez Vargas My article is about what I've learned; it's not about following trends. I'm sharing what I've discovered and what I'm learning as a student. While I may have missed some points, it doesn't mean I'm sharing false information. I'm not an author; I'm a student writing for my own benefit. If anyone wants to learn along with me, they're welcome to join.
There's a quote that resonates with me: "Being a developer takes time; it's not a piece of cake that can be eaten in a minute.
I am using this platform as a documentation of my learning. Sir if you find these article useless no need to read it. and if you can help me in improving then you are welcome.