Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable CORS for admin routes #155

Open
Frewacom opened this issue Jun 3, 2021 · 0 comments
Open

Disable CORS for admin routes #155

Frewacom opened this issue Jun 3, 2021 · 0 comments
Assignees
@McFrappe
Labels
api Improvement or changes to the API feature New feature future improvement Improvements to existing code security Everything regarding security of the server

Comments

@Frewacom
Copy link
Member

Frewacom commented Jun 3, 2021
edited
Loading

Currently, all available routes has CORS enabled, meaning that you can send requests to the API from anywhere. In the future, it might be a good idea to not allow this for admin routes to improve security.

Adonis allows for dynamic configuration of the CORS policy based on the request method. Disabling CORS for all POST, PUT and DELETE operation should do the trick (with some exceptions).
@Frewacom Frewacom added feature New feature api Improvement or changes to the API improvement Improvements to existing code future security Everything regarding security of the server labels Jun 3, 2021
@McFrappe McFrappe self-assigned this Jun 10, 2021
@McFrappe McFrappe mentioned this issue Jul 9, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@McFrappe McFrappe

Labels
api Improvement or changes to the API feature New feature future improvement Improvements to existing code security Everything regarding security of the server
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

CORS enabled on routes nationskollen/server
2 participants
@Frewacom @McFrappe