Harden cross-domain policy
opened this issue · comments
Right now, Access-Control-Allow-Origin
is set to *
(see https://github.com/ungdev/Gala-api/blob/master/server.js#L27). Thus, it allows any JavaScript code in any domain to perform requests to Gala-api
, while there is no need for it. The *
should be replaced by a trusted domain (localhost
during development, etc).
In addition, the header Vary: Origin
should be added to prevent any risky sever-side caching.
Je regarde ça ce soir, je dois avouer que je ne sais pas exactement à quoi sert ce paramètre... Sans lui par contre je n'arrivais pas à contacter le serveur depuis l'application. Par quoi devrais-je remplacer ça ?