This repository has been archived by the owner on Mar 27, 2024. It is now read-only.
Harden cross-domain policy #1
Labels
Comments
ghost
added
the
|
Je regarde ça ce soir, je dois avouer que je ne sais pas exactement à quoi sert ce paramètre... Sans lui par contre je n'arrivais pas à contacter le serveur depuis l'application. Par quoi devrais-je remplacer ça ? |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Right now,
Access-Control-Allow-Originis set to*(see https://github.com/ungdev/Gala-api/blob/master/server.js#L27). Thus, it allows any JavaScript code in any domain to perform requests toGala-api, while there is no need for it. The*should be replaced by a trusted domain (localhostduring development, etc).In addition, the header
Vary: Originshould be added to prevent any risky sever-side caching.The text was updated successfully, but these errors were encountered: