angela-d
commented
4 years ago I'm not the developer of the plugin, but my assumption (and belief, too) is that you shouldn't have PRTG on the public internet in the first place, so 'locking down' this particular header is pointless, in that regard.
If PRTG lies within your private network (inaccessible to the outside web), the CORS risk is null. If someone is already in your network and able to utilize such a thing, you've got bigger problems to contend with.
xuanyuanaosheng
In order to allow software to access PRTG's API you have add a String value named "AccessControlAllowOriginHTTPHeader" to the registry key. So far so good. But why use the value data "*" and allow any software potential access (or at least the attempt) when the Header itself technically allows you to specify which source is allowed to access the API? Would feel much cleaner and more secure.
My question: Is there any way to specifically only allow this plugin to access the API and if not why and are there any eligible safety concerns? Thanks!