Is Access-Control-Allow-Origin: * safe?
For public APIs without credentials, yes. For APIs with credentials (cookies, auth), no. Use the specific origin instead. The wildcard allows any website to make requests, which can be a security risk for authenticated APIs.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in CORS Security Best Practices
const allowedOrigins = ['https://myapp.com', 'https://admin.myapp.com']; if (allowedOrigins.includes(req.headers.origin)) res.header('Access-Control-Allow-Origin', req.headers.origin);
No. Only allow the methods you actually use. If your API only uses GET and POST, do not include PUT, DELETE, PATCH. This reduces the attack surface.
A header that tells the browser how long to cache the preflight result. Setting it to 3600 (1 hour) means the browser does not send a new OPTIONS request for that URL for 1 hour, reducing overhead.
Still have questions?
Browse all our FAQs or reach out to our support team
