WingNews logo WingNews
top | item 30321610

(no title)

jesstaa | 4 years ago

If you have any unauthenticated routes that you don't want arbitrary websites calling.

> using JWT in a typical SPA <-> API scenario. Is this typical? It's a pretty horrible setup. Cookies have a lot of great features that 'store a JWT in LocalStorage' just doesn't have.

discuss

order

Mavvie|4 years ago

This doesn't actually prevent arbitrary websites from calling them, it just makes it a tiny bit hard. They could always just proxy your endpoint and add the CORS headers.

I'm still interested in the original question: if you use localstorage for auth tokens and you have proper CSRF protection, what does allowing all CORS actually make you vulnerable to?

JanSt|4 years ago

You don't even need CSRF protection if you use localstorage for the tokens