REST API CORS based security concerns
My main domain is example.com and the Vanilla forum is hosted at subdomain forums.example.com. I want to call Vanilla forum REST API from my main domain. To do so, I added my main domain to the Trusted Domains in the Vanilla forum Security Settings as per mentioned in the below link. I am using HTTPS to access both domain and subdomain.
I have several security concerns with my above approach which are mentioned below.
- Can my allowed domains be spoofed in the Origin header which includes the domain in a request?
Please advise on it. Any kind of help will be greatly appreciated.