• cout970@programming.dev
    link
    fedilink
    arrow-up
    9
    ·
    3 days ago

    One thing to note, CORS only makes sense if your API uses cookies for authentication, most APIs use custom headers, the Authentication header, or even url tokens, they don’t rely on cookies, so most of the time, APIs don’t care about CORS. People keep blindly repeating that accepting all origins “*”, is bad for security, but the situations where this is relevant are really uncommon.