CORS config #29
Description
Since we decoupled the frontend from the backend we need to consider CORS headers configs. Running web servers is not my expertise so it would be great to hear peoples general opinions on this when dealing with frontend applications making XMLHttpRequests (or Fetch) directly to a service.
I guess this is also somewhat related to authentication of the app in general but another topic.
So instead of same-origin we could:
- Whitelist IPs?
- Allow all?