Security focused CORS configuration for browser APIs

9555 views

                  Rails.application.config.middleware.insert_before 0, Rack::Cors do
  allow do
    origins 'https://app.example.com', 'https://admin.example.com'
    resource '/api/*',
      headers: %w[Authorization Content-Type],
      methods: %i[get post patch delete options],
      credentials: true,
      max_age: 600
  end
end

CORS is not an authentication control, but bad CORS settings still widen attack surface unnecessarily. I allow exact origins, restrict methods and headers, and avoid wildcard credentials combinations entirely. If the front-end origin list is unclear, that is a design problem to solve, not a reason to use *.

Kai Nakamura

More from Kai Nakamura

Security focused CORS configuration for browser APIs

0 Comments

More from Kai Nakamura