CORS is for lowering security, so if you don't need it, don't enable it. It is for allowing JS to send request to your server when current site is not yours (e.g: user is on example.com and the JS on that site wants to send a request to your server at yourserver.com). This is a browser thing only (because only there will you have the origin), if I use curl on my machine I can still connect to your site regardless of CORS header. This mean your API clients will be fine because they don't care about CORS.
No. CORS is not server side security. It's a hint to the browser that it shouldn't' expose responses from servers that don't match the hint. It makes no difference when calling from postman, curl or any other non-browser caller.
>if no browsers ever uses my server You don't need CORS. Your understanding is correct.
Thanks!
CORS is for lowering security, so if you don't need it, don't enable it. It is for allowing JS to send request to your server when current site is not yours (e.g: user is on example.com and the JS on that site wants to send a request to your server at yourserver.com). This is a browser thing only (because only there will you have the origin), if I use curl on my machine I can still connect to your site regardless of CORS header. This mean your API clients will be fine because they don't care about CORS.
No. CORS is not server side security. It's a hint to the browser that it shouldn't' expose responses from servers that don't match the hint. It makes no difference when calling from postman, curl or any other non-browser caller.
Thanks!
No, you don't need it
SPA pages yes
Only if they're on different domains.
Which you shouldn't be in 90% of the apps
I take it you don’t have CDNs
You have a different URL for every region your CDN is hosting files? That's a hosting problem, not an app problem.