Skip to content

Disable CORS for admin routes #155

New issue
New issue
Open
Open
Disable CORS for admin routes#155
Assignees
McFrappe
Labels
apiImprovement or changes to the APIfeatureNew featurefutureimprovementImprovements to existing codesecurityEverything regarding security of the server
@Frewacom

Description

@Frewacom
Frewacom
opened on Jun 3, 2021

Currently, all available routes has CORS enabled, meaning that you can send requests to the API from anywhere. In the future, it might be a good idea to not allow this for admin routes to improve security.

Adonis allows for dynamic configuration of the CORS policy based on the request method. Disabling CORS for all POST, PUT and DELETE operation should do the trick (with some exceptions).

Metadata

Metadata

Assignees

Labels

apiImprovement or changes to the APIfeatureNew featurefutureimprovementImprovements to existing codesecurityEverything regarding security of the server

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions