Apply CORS in a measured way

Question

Apply CORS in a measured way

Closed this issue 4 years ago · 2 comments

Currently, all endpoints can be accessed by outside domains.

Endpoints that should be available to outside domains should be identified. Requests from outside domains to other endpoints should be rejected.

Answer 1 · 2020-11-23T14:59:31.000Z

I intend to work on this at some point during this week. If there are no objections, I will implement the following CORS rules:

Any domain can make a GET request to an /api or /api/* endpoint.
OL domains can POST to /api/observations

Answer 2 · 2021-01-05T01:56:57.000Z

Closing this for now. The most pressing security concerns surrounding this were addressed by #40. Remaining concerns will be resolved upon the implementation of #45.