Harden cross-domain policy
opened this issue · comments
Right now, Access-Control-Allow-Origin is set to * (see https://github.com/ungdev/Gala-api/blob/master/server.js#L27). Thus, it allows any JavaScript code in any domain to perform requests to Gala-api, while there is no need for it. The * should be replaced by a trusted domain (localhost during development, etc).
In addition, the header Vary: Origin should be added to prevent any risky sever-side caching.
Je regarde ça ce soir, je dois avouer que je ne sais pas exactement à quoi sert ce paramètre... Sans lui par contre je n'arrivais pas à contacter le serveur depuis l'application. Par quoi devrais-je remplacer ça ?