When dealing with CORS and including credentials (such as cookies, HTTP authentication, or client-side SSL certificates) in your requests, there are specific security reasons why you cannot set the Access-Control-Allow-Origin header to *.
Why can't we use "*" with credentials?
Credentials Exposure: Allowing any origin (*) to access resources with credentials means that any website can potentially make requests to your backend while including sensitive credentials (like session cookies). This could lead to security vulnerabilities where an attacker could craft a malicious site to exploit user sessions or sensitive data.
W3C CORS Standard: According to the CORS specification, if a request is made with credentials (withCredentials: true), the server must specify an explicit origin (not *) in the Access-Control-Allow-Origin header. This is a security measure to ensure that only specific, trusted origins can make authenticated requests.
Solution
Add configurable allowed headers, with a default value of http://localhost:7377,http://0.0.0.0:7377.
Context
When dealing with CORS and including credentials (such as cookies, HTTP authentication, or client-side SSL certificates) in your requests, there are specific security reasons why you cannot set the Access-Control-Allow-Origin header to *.
Why can't we use "*" with credentials?
Credentials Exposure: Allowing any origin (*) to access resources with credentials means that any website can potentially make requests to your backend while including sensitive credentials (like session cookies). This could lead to security vulnerabilities where an attacker could craft a malicious site to exploit user sessions or sensitive data.
W3C CORS Standard: According to the CORS specification, if a request is made with credentials (withCredentials: true), the server must specify an explicit origin (not *) in the Access-Control-Allow-Origin header. This is a security measure to ensure that only specific, trusted origins can make authenticated requests.
Solution
Add configurable allowed headers, with a default value of
http://localhost:7377,http://0.0.0.0:7377.