Hacker News
new
|
past
|
comments
|
ask
|
show
|
jobs
|
submit
login
iancarroll
on Feb 13, 2022
|
parent
|
context
|
favorite
| on:
CORS is not meant to secure an API endpoint
This is true, but there have been a lot of browser bugs in the past with Origin/Referer headers. Relying on those is not as foolproof as a CSRF token, which would require a more severe UXSS-type issue to leak. I wouldn’t advise it.
Guidelines
|
FAQ
|
Lists
|
API
|
Security
|
Legal
|
Apply to YC
|
Contact
Search: