The infamous technology every backend developer fights. Well, not when using Kvarn (shameless self-promotion).

This is enabled by default in Kvarn. See below for more context.

About

CORS stands for cross-origin resource sharing. As the name implies, it allows websites to use resources from other websites.

This is heavily used by larger websites to serve static content (e.g. images, video) from content delivery networks.

The protections CORS enforces are critical. Let’s say a malicious actor, Ted, wants to get money from you. In a world without CORS, Ted could issue a request on your browser to your bank and transfer money. CORS protects against this by telling the browser “if anyone tries to send you to any website but these listed, refuse”. This mainly helps against XSS attacks, when a hacker injects code into your front-end.

Drawbacks

When you have a legitimate reason to interact with other websites, you have to add it to the list of accepted sites. Here, you can specify which methods and headers are valid for sending to the third party.