In the Rails API x Next configuration, we plan to use session cookies to manage the login status.
In this case, just setting up CORS on the Rails API is enough to ensure CSRF countermeasures?
If CORS is set up, it will prevent requests from malicious external sites (different origin), so I wonder if I can make counterfeit requests using session cookies.
I would appreciate it if you could let me know if anyone knows more about it.
That CORS is not a countermeasure against CSRF (or what CORS is not)
https://qiita.com/netebakari/items/41baa7e1d0b8d89f9d12
CORS is not intended to prevent users from making unintended requests, but to prevent malicious JavaScript code from referring to the returned values.The request itself can occur as many times as you want, so you cannot take CSRF measures without server validation.
© 2024 OneMinuteCode. All rights reserved.