security: CORS-headers in admin.go

dobin / yookiterm-lxdserver

Yookiterm LXD backend server

Apache License 2.0

2 stars 1 forks source link

security: CORS-headers in admin.go #2

Open x1unix opened 4 years ago

x1unix commented 4 years ago

It's a bad practice to have Access-Control-Allow-Origin: * header. Basically you allow everybody from any web-site in browser to call your APIs.

admin.go

var restAdminExecHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    w.Header().Set("Access-Control-Allow-Origin", "*")

dobin commented 2 years ago

Generally, everyone can call all APIs - the issue here is that another origin can access data (the response). As there is no endpoint with secret or sensitive data, i dont really care.