CORS as standard on API servers?

[Andrew B]

Is it a good practice to always add CORS headers to APIs that we serve?

It seems like we should, if we ever envisage requests coming from ajax (which we do).

And if so, would people typically do it just for GET and POST, or for all methods (i.e. where the complex pre-flight malarkey is needed, which makes supporting CORS that much harder)?

[Carl Sutherland]

Hey Andrew!

We've been kicking around the same idea recently, too.  In our case, we landed on one good reason not to —

With a lot of our services, it does make sense for API clients to want to perform certain actions from a browser.  But the API keys themselves are often privileged, and shouldn't be laying around on the client-side.  Eventually, we plan to have a "public" API to wrap up the common services API clients want to use from a browser, with a "public" authentication mechanism — for that we'll enable CORS generally.

For request methods other than GET, POST and HEAD, that pre-flight malarkey should be all wrapped up in libraries.  The tricky part iirc is browser support on older browsers.

-c

[Dan Tripp]

We decided to make it configurable, down to the per client level. Default is no CORS. Our business is currently deciding if we will turn it on for all or perhaps only for select clients--who will pay more for the privilege.

- Dan

[Andrew Braae]

Thanks Carl, as it happens that's almost exactly our situation too. We have a small number of APIs that we wish to make public, hence there are no concerns about keys being held by the browser.

--
You received this message because you are subscribed to a topic in the Google Groups "API Craft" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/api-craft/jw0FQgYzKIk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to api-craft+unsubscribe@googlegroups.com.
Visit this group at https://groups.google.com/group/api-craft.
For more options, visit https://groups.google.com/d/optout.

[Victor Olex]

It is enabled by default in SlashDB and functioning for all HTTP codes not only 2xx (important for sane development in browser). It can be disabled however.