Cross-origin resource sharing (CORS)

Some thoughts about security

• Exploiting CORS Misconfigurations

Testing whether CORS is enabled on your web-service

Testing a simple request:

curl -H "Origin: http://example.com" \
-X OPTIONS --verbose http://localhost:8090/your_api/your_method

Testing a pre-flight request:

curl -H "Origin: http://example.com" \
-H "Access-Control-Request-Method: POST" \
-H "Access-Control-Request-Headers: X-Requested-With" \
-X OPTIONS --verbose http://localhost:8090/your_api/your_method

If that request returns

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE

you're all set.