This page describes a number of configuration options to increase the security of your CXO-Cockpit application. Basic knowledge of .NET configuration files is required to apply these options.
...
It is possible to allow any origin by specifying "*" string it he "Allowed origins" field. This setting is strongly discouraged since it is insecure configuration.
- "Cross-Origin Resource Sharing (CORS): Allow Credentials" setting should be always false by default.
If you have any valid reason why browser should send credentials with a cross-origin requests, you can change the setting to true.
Please be aware that changing this setting to true is strongly discouraged because it can cause potential security risksthat allowing cross-origin credentials is a security risk. A website at another domain can send a signed-in user's credentials to the app on the user's behalf without the user's knowledge.
The CORS specification also states that setting allowed origins to "*" (all origins) is invalid if the Access-Control-Allow-Credentials header is present.
If you set "Cross-Origin Resource Sharing (CORS): Allow Credentials" to "false" then please make sure that "Cross-Origin Resource Sharing (CORS): Allowed origins" is not set "*" otherwise some browsers might refuse the requests.
