Clearly mention that `Access-Control-Allow-Origin "*"` makes resources available to all and especially from all hosts #108

defransen opened this Issue Sep 10, 2015 · 1 comment


None yet

2 participants


... and thus rendering the idea of cross-origin resource security useless, because every one can present your resources as his own.
I think the basic default setup should be to respond with the content of the received Origin header in the Access-Control-Allow-Origin header. This prevents at least unwanted "proxying" of your resources.

Gnafu commented Oct 14, 2016

I agree, an example of a more strict control will be helpful

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment