Skip to content

docs: warn against combining origin: true with credentials: true#423

Open
AchieverSana wants to merge 1 commit into
expressjs:masterfrom
AchieverSana:patch-1
Open

docs: warn against combining origin: true with credentials: true#423
AchieverSana wants to merge 1 commit into
expressjs:masterfrom
AchieverSana:patch-1

Conversation

@AchieverSana

Copy link
Copy Markdown

Adds a note near the configuration options warning that origin: true + credentials: true allows any origin to make credentialed requests, since origin: true reflects the request's Origin header rather than restricting it. Closes #422

Adds a note near the configuration options warning that origin: true + credentials: true allows any origin to make credentialed requests, since origin: true reflects the request's Origin header rather than restricting it.
Closes expressjs#422
@AchieverSana

Copy link
Copy Markdown
Author

Hi! This adds a warning for the origin: true + credentials: true combination that's a common security footgun. Happy to adjust the wording if needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add a note in the docs about origin: true and credentials: true being dangerous

1 participant