Enabling CORS on an API

Question

We are currently developing an API to allow customers and resellers to purchase and manage our products.

Currently we don't have CORS enabled on the server. This prevents js, for example Angularjs, from being able to access the API.

I would like to get these headers enabled so customers can access our API via js in the browser.

What are the risks of implementing CORS on a wildcard to allow this on what essentially will be a public API? Does this make our API inherently more susceptible to abuse or anything?

Access-Control-Allow-Origin: *

Is there anything else I should consider when presenting the argument to our developers who are old school back end developers? Thanks.

Answer 1

Given:

• Alice, a person running a site
• Bob, a person who uses Alice's site
• Mallory, a person who runs a malicious site

If you enable global access to your API from the browser using CORS then:

If Bob can be tricked into visiting Mallory's website then Mallory's website can instruct Bob's browser to get data from Alice's website and give it to Mallory's website.

If Bob is logged in to Alice's website, then the browser will send any cookies needed to authenticate as Bob.

Mallory can then get access to any data on Alice's website that is supposed to be private to Alice and Bob (such as Bob's order history, medical records, or whatever else Alice's website is storing).

If the data available through the API consists only of public information, then there isn't a problem with making it globally accessible. If it contains personal data, then you need to think about using some secondary means of authentication.

Answer 2

If your API is public, I don't see any risk.. (and even if it was a private API with authentication) Simply put, people will be able to call it from their own domain.

But you can restrict it to a domain, you are not forced to use a wildcard.