top | item 21611912

(no title)

I think everyone need to remember CORS is a browser-only protection and anything you expose via CORS protected endpoint in reallity has no protection at all. Try cURL reaching any endpoint protected by CORS and you'll see what I mean.

Also browsers automatic sending cookie enable many of these CSRF, consider JWT.

Amazing how PHP is still bitting developers.

discuss

osrec|6 years ago

If you've taken the time to understand things well, you'll do just fine, even with PHP. Otherwise, the quirks of any language/library/tool may catch you out (it's not just a PHP thing).

kyle-rb|6 years ago

cURL being able to access a CORS protected endpoint isn't an issue because cURL doesn't have your cookies.