docs icon indicating copy to clipboard operation
docs copied to clipboard
verified publisher icon prometheus

Contrary to what the doc claims, CORS is no defence

Open jub0bs opened this issue 1 year ago • 2 comments

The file content/docs/operating/security.md contains the following passage:

For non-mutating endpoints, you may wish to set CORS headers such as Access-Control-Allow-Origin in your reverse proxy to prevent XSS.

However, this passage is problematic, because CORS is no defence against XSS. In fact, CORS is no defence at all; quite the opposite, since its goal is to relax the Same-Origin Policy.

This passage should be reworded or even removed.

jub0bs avatar Apr 02 '24 16:04 jub0bs

Hello from the bug scrub. @jub0bs Do you have any proposal on how this can be reworded?

jan--f avatar Dec 09 '25 15:12 jan--f

@jan--f Hi! Yes: don't mention CORS as a defence against XSS. If you wish to defend against XSS (or any attack, really), CORS is not the right tool.

jub0bs avatar Dec 09 '25 16:12 jub0bs