Apply CORS in a measured way
Closed this issue · 2 comments
jimchamp commented
Currently, all endpoints can be accessed by outside domains.
Endpoints that should be available to outside domains should be identified. Requests from outside domains to other endpoints should be rejected.
jimchamp commented
I intend to work on this at some point during this week. If there are no objections, I will implement the following CORS rules:
- Any domain can make a GET request to an
/api
or/api/*
endpoint. - OL domains can POST to
/api/observations