MattGibney
commented
7 months ago The API does implement CORS requiring requests to be made from known origins, however these can be tricked.
Closed MattGibney closed 7 months ago
MattGibney
commented
7 months ago The API does implement CORS requiring requests to be made from known origins, however these can be tricked.
As the API is currently authenticated with cookies, it's possible to commit CSRF (Cross Site Request Forgery) requests tricking players into performing actions they don't want to.
Switch to authenticating requests using an
Authorizationheader and a Bearer token.