Hacker News new | past | comments | ask | show | jobs | submit login

If my API doesn't use cookies, is there any reason for me to not fully enable CORS on the server? I.e. using JWT in a typical SPA <-> API scenario.



If you have any unauthenticated routes that you don't want arbitrary websites calling.

> using JWT in a typical SPA <-> API scenario. Is this typical? It's a pretty horrible setup. Cookies have a lot of great features that 'store a JWT in LocalStorage' just doesn't have.


This doesn't actually prevent arbitrary websites from calling them, it just makes it a tiny bit hard. They could always just proxy your endpoint and add the CORS headers.

I'm still interested in the original question: if you use localstorage for auth tokens and you have proper CSRF protection, what does allowing all CORS actually make you vulnerable to?


You don't even need CSRF protection if you use localstorage for the tokens




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: