|
|
|
|
|
|
by limbero
478 days ago
|
|
|
> You only have to use CORS to remove restrictions: if you do nothing, maximum security is the default. This is only true if you see CORS as a tool only to prevent reading data. I personally find it to be a useful tool to prevent writes, because the Origin header fulfils several of the purposes of a CSRF token. But that requires work on the backend to not actually perform writes unless the CORS parameters are valid. That sort of security is not the default (which is probably good) |
|
|