Hey infosec twitter. I have an API that's protected with bearer auth. No cookies anywhere. Can I 'Access-Control-Allow-Origin: *' safely?
-
-
Replying to @andreasdotorg
For a Real Solution™, list the allowed origins in the token and evaluate in an interceptor on the resource server. If Origin not listed, 403
2 replies 0 retweets 0 likes -
Replying to @ThatSMP @andreasdotorg
Authz server can have list of allowed origins per OAuth client. This also prevents leaking tokens between public clients.
1 reply 0 retweets 0 likes
Replying to @ThatSMP
I don't have a list of allowed origins, and I'm not even sure why I would want to have one.
2:19 AM - 11 Oct 2017
0 replies
0 retweets
0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.