Can CORS prevent CSRF attacks?
No. CORS is about allowing cross-origin requests, not preventing them. CSRF prevention requires other measures: SameSite cookies, CSRF tokens, or checking the Origin/Referer header on the server.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in CORS Security Best Practices
For public APIs without credentials, yes. For APIs with credentials (cookies, auth), no. Use the specific origin instead. The wildcard allows any website to make requests, which can be a security risk for authenticated APIs.
const allowedOrigins = ['https://myapp.com', 'https://admin.myapp.com']; if (allowedOrigins.includes(req.headers.origin)) res.header('Access-Control-Allow-Origin', req.headers.origin);
No. Only allow the methods you actually use. If your API only uses GET and POST, do not include PUT, DELETE, PATCH. This reduces the attack surface.
Still have questions?
Browse all our FAQs or reach out to our support team
