Secure an API with Access-Control-Allow-Headers

Share this video with your friends

Send Tweet

The Access-Control-Allow-Headers response header is used in response to a preflight request which includes the Access-Control-Request-Headers to indicate which HTTP headers can be used during the actual request.

In this lesson, we'll secure our API by building an allowlist of origins that can access our API, and update the CORS functionality in our code to adopt that allowlist when handling requests.

brett
~ 3 years ago

includes seems like the wrong option for checkOrigin. Wouldn't someone be able to create a url that's like https://serverless-api-viewer.pages.dev.malicious.website.com and have it match?