HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

REST API CORS based security concerns


My main domain is example.com and the Vanilla forum is hosted at subdomain forums.example.com. I want to call Vanilla forum REST API from my main domain. To do so, I added my main domain to the  Trusted Domains in the Vanilla forum Security Settings as per mentioned in the below link. I am using HTTPS to access both domain and subdomain.

To access the Vanilla forum REST API from the main domain, I am planning to store ACCESS TOKEN to Javascript Cookie or variable.

I have several security concerns with my above approach which are mentioned below.

  1. Is it safe to store user ACCESS TOKEN to javascript Cookie or Variable?
  2. Can my allowed domains be spoofed in the Origin header which includes the domain in a request?

Please advise on it. Any kind of help will be greatly appreciated.


Sign In or Register to comment.