Hey infosec twitter. I have an API that's protected with bearer auth. No cookies anywhere. Can I 'Access-Control-Allow-Origin: *' safely?
-
-
Replying to @andreasdotorg
not sure if this is a serious question :D so a semi stupid answer: then don't allow the Authorization header via CORS
1 reply 0 retweets 1 like -
Replying to @insertScript
It's actually a serious question. And the answer of course doesn't help, because we need the auth header for auth.
1 reply 0 retweets 1 like -
Replying to @andreasdotorg
sry then^^ difficult to tell as it highly depends how your bearer token is implemented. I assume whitelisting specific domains is no option?
3 replies 0 retweets 1 like -
Replying to @insertScript
And whitelisting is inconvenient in a lot of cases (JS caller in a local file, some test on the CI/CD system, etc.)
1 reply 0 retweets 1 like -
Replying to @andreasdotorg
based on limited infos and characters^^: the whitelisting helps to know the origins, which are allowed to have a valid bearer token (eg xss)
2 replies 0 retweets 1 like
Anyone who has a valid bearer token is a valid caller, because the only way to get one is to call the login API with valid credentials.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.