CORS – WindowsTechs.com

What is the risk of lenient CORS header for a webapplication that stores tokens in sessionStorage and not in cookies?

Posted on January 28, 2025 by cis

Let’s assume we have a web-application that stores its auth token in the browser’s sessionStorage/localStorage and does not use cookies. If I’m not completely mistaken, such a web application is not vulnerable against CSRF attacks, right?
… Continue reading What is the risk of lenient CORS header for a webapplication that stores tokens in sessionStorage and not in cookies?→

ADFS + CORS + Trusted Origin https://localhost a security problem?

Posted on January 24, 2025 by Wurst

maybe a simple question, maybe not. We struggle with an solution to allow our developers develop web applications with oauth pkcs auth flow against our idp/adfs (active directory federation services) on a local dev machine.
Trusted Origin … Continue reading ADFS + CORS + Trusted Origin https://localhost a security problem?→

ADFS + CORS + Trusted Origin https://localhost a security problem?

Posted on January 24, 2025 by Wurst

How to securely allow localhost to access through CORS, without exposing it to anyone’s localhost?

Posted on November 5, 2024 by Lance Pollard

It is recommended to do this often in web apps:
import { NextResponse } from ‘next/server’
import type { NextRequest } from ‘next/server’

// Define allowed origins
const allowedOrigins = [
‘http://localhost:3000’,
‘http://localhost:30… Continue reading How to securely allow localhost to access through CORS, without exposing it to anyone’s localhost?→

What is the client-security-token header typically used for?

Posted on October 11, 2024 by Sjoerd

I came across a site that allows the client-security-token in CORS requests:
Access-Control-Allow-Headers: …, client-security-token

I have not found any request yet that includes this header. But it also does not seem to be application-… Continue reading What is the client-security-token header typically used for?→

Understanding Cross-Domain Cookies and `SameSite` Attributes with Express.js and Third-Party Tracking

Posted on September 9, 2024 by AllExJ

What I have understood (I guess):

Cross-origin Cookies:
Cookies set with Domain="example.com" are not sent with fetch requests from origins like hello.example2.com to mywebsite.example.com because they are different domains. How… Continue reading Understanding Cross-Domain Cookies and `SameSite` Attributes with Express.js and Third-Party Tracking→

CORS credentials option set to true

Posted on July 19, 2024 by a_duck

To allow cookies to be sent to my ExpressJS server,credentials: true has to be set in my CORS config.
What potential security risks/ vulnerabilities could arise from this configuration?
If possible, how could said risks be mitigated in pra… Continue reading CORS credentials option set to true→

Does the CORS asteriks / wildcard include both encrypted and unencrypted origins?

Posted on May 27, 2024 by Booger21

Does the CORS asteriks / wildcard (*) include both encrypted (https) and unencrypted origins (http)? And is the null origin (i.e., when a local file is doing a xmlhttprequest, or within an iframe with sandbox attribute) regarded as http?
… Continue reading Does the CORS asteriks / wildcard include both encrypted and unencrypted origins?→

What are the reasons for CORS failure errors to not be available to JS?

Posted on April 5, 2024 by Ooker

From Cross-Origin Resource Sharing (CORS) – HTTP | MDN:

CORS failures result in errors but for security reasons, specifics about the error are not available to JavaScript. All the code knows is that an error occurred. The only way to dete… Continue reading What are the reasons for CORS failure errors to not be available to JS?→

Risks with having a "localhost" service configured on a production SAML/OAuth/OIDC Identity Provider

Posted on March 9, 2024 by xsrf

To help developers with integrating with our SAML/OAuth/OIDC Identity Provider on their local dev environments, I’m thinking about configuring a demo client/app in our production IdP that has localhost configured as valid redirect url (OAu… Continue reading Risks with having a "localhost" service configured on a production SAML/OAuth/OIDC Identity Provider→