SShortSingh.
Back to feed

Why teams keep misconfiguring CORS and how to fix it properly

0
·1 views

CORS (Cross-Origin Resource Sharing) is a browser-enforced security mechanism that controls which origins can read cross-origin API responses, and misconfiguring it — such as blindly setting Access-Control-Allow-Origin to wildcard — expands an application's attack surface rather than solving the underlying issue. The Same-Origin Policy (SOP) defines origin as the combination of scheme, host, and port, meaning even subtle differences like HTTP vs HTTPS or different subdomains are treated as separate origins. When developers disable or loosen CORS protections to silence console errors, they remove a critical layer that prevents malicious websites from reading sensitive responses on behalf of a victim user. Proper CORS configuration requires understanding preflight OPTIONS requests, the role of each HTTP header, and how backend frameworks like ASP.NET Core and edge layers like NGINX enforce these rules. Importantly, CORS does not replace authentication, authorization, or CSRF protection — it is one specific safeguard that must be configured deliberately alongside those other measures.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

How Bitrate, Resolution, and Codecs Shape Your Video Streaming Quality

A new explainer on media streaming clarifies the distinct roles of resolution and bitrate in determining video quality, noting that a high-resolution file can still look poor if encoded at a low bitrate. Codecs also play a critical role, with newer formats like H.265 and AV1 delivering comparable visual quality to H.264 while consuming significantly less bandwidth. To balance quality with varying internet speeds, streaming platforms encode video into multiple renditions — combinations of resolution and bitrate — listed in manifest files used by HLS and DASH protocols. An adaptive bitrate streaming (ABR) player selects the appropriate rendition chunk by chunk based on the viewer's current network conditions and buffer health. This mechanism explains why a video may temporarily drop in quality during a slow connection before recovering, a deliberate design choice to prevent buffering.

0
ProgrammingDEV Community ·

Understanding Between-Study Heterogeneity in Meta-Analysis Research

Between-study heterogeneity refers to the degree to which true effect sizes vary across studies within a meta-analysis, and quantifying it is essential for interpreting pooled results reliably. Cochran's Q, a weighted sum of squared deviations from the summary effect, has traditionally been used to measure this variance, though it is sensitive to the number of studies and their precision. Because Q's significance depends heavily on a meta-analysis's size and statistical power, researchers are cautioned against relying on it alone. The I² statistic, derived directly from Cochran's Q, addresses some of these limitations by expressing heterogeneity as a percentage of total variability not attributable to sampling error. Together, these tools help analysts assess whether a pooled effect estimate is meaningful or obscured by excessive variation across studies.

0
ProgrammingDEV Community ·

Spec-Driven Development Offers a Control Framework for AI-Assisted Software Delivery

As AI tools can generate code, tests, and deployment configs within seconds, software teams face a deeper challenge: ensuring generated output actually matches intended system behaviour. Spec-driven development addresses this by keeping versioned specifications — covering contracts, domain rules, architecture decisions, and acceptance criteria — as the authoritative source of truth throughout the entire lifecycle. Unlike traditional delivery, where requirements disperse into code and pull-request comments, this approach requires every implementation decision to trace back to an agreed statement of intent. AI agents and engineers alike derive code, tests, and documentation from these durable specs, allowing generated output to be evaluated against stable, reviewable constraints. Human accountability is preserved at every approval boundary, with people remaining responsible for intent, risk acceptance, and trade-offs.

0
ProgrammingDEV Community ·

D-Band Co-Founders Launch DRM Tool to Automate and Safeguard Database Deployments

Alexey Levin and Eli Shohat, two database administrators with over 25 years of combined experience, have built DRM (Data Release Manager) to address recurring failures in manual database deployments. The tool was inspired by persistent production incidents — including scripts running out of order, duplicate executions, and environment mismatches — that existing solutions like Flyway, Liquibase, and CI/CD pipelines failed to fully prevent. A key incident at a client site, where a staging-approved script caused a four-hour production outage due to unanticipated data constraints, crystallized their decision to build a dedicated solution. DRM is a CLI tool supporting MSSQL, PostgreSQL, and Oracle that introduces a dry-run capability, allowing teams to preview exactly which scripts will execute — and in what order — before any changes touch production. The tool aims to treat database releases as a first-class operation with its own workflow, safety checks, and audit trail, rather than an afterthought of application deployment.