REST API CORS based security concerns
Hello,
My main domain is example.com and the Vanilla forum is hosted at subdomain forums.example.com. I want to call Vanilla forum REST API from my main domain. To do so, I added my main domain to the Trusted Domains in the Vanilla forum Security Settings as per mentioned in the below link. I am using HTTPS to access both domain and subdomain.
To access the Vanilla forum REST API from the main domain, I am planning to store ACCESS TOKEN to Javascript Cookie or variable.
I have several security concerns with my above approach which are mentioned below.
- Is it safe to store user ACCESS TOKEN to javascript Cookie or Variable?
- Can my allowed domains be spoofed in the Origin header which includes the domain in a request?
Please advise on it. Any kind of help will be greatly appreciated.
Thanks
Tagged:
1