Learn whether Cross-Origin Resource Sharing (CORS) is important for your API, and how browsers enforce the same-origin policy.
- [Narrator] Another security concern you may come across when building your API is dealing with CORS or Cross-Origin Resource Sharing. Not all APIs need to worry about CORS. You only need to think about CORS if your API is accessed by browsers as opposed to other types of API clients. This is true for APIs that power single page apps where the single page app makes requests via JAVA script to your API backend. Even if this is the case, you still won't need to worry about CORS unless your API is hosted on a separate domain from the rest of your app.
A common example is loading your single page app assets from example.com but hosting your API backend on api.example.com. If both of these are true, you'll need to add a CORS policy to your API. To understand why we need CORS, let's take a look at how browsers work. Modern browsers enforce a security feature called the Same-Origin Policy. Browsers define the origin of a page as the combination of the scheme, host, and port portions or the URL.
Two pages or locations have the same origin if these three values match exactly. Let's say that a script on your page running on example.com tries to make an HTTP call to an API that's also available on example.com. In this case, the browser will allow the request because the origins match exactly. However, if your page is on example.com and your API is on api.example.com, the request will blocked. The same is true if one is on HTTP and the other is on HTTPS.
If there's any difference in origin at all, the Same-Origin Policy will kick in and block the request. This is an important browser security feature but what if you actually want your API to be available on a different domain? That's where CORS comes in. CORS allows the server to explicitly whitelist certain origins and relax the browser Same-Origin Policy. If your server is configured for CORS, it will return some extra headers with each response. These headers whitelist certain origins, HTTP methods, headers, and other elements of the request.
The browser looks at this information from the server to determine whether a request should be allowed. CORS requires support on both the server and the browser. The server controls the CORS responses that whitelists certain origins but it's up to the browser to enforce the Single-Origin Policy and take into account any CORS headers returned from the server. CORS is important when your API is serving cross-domain browser clients. But it's important to understand that other types of API clients that aren't browsers could choose to ignore your server's CORS headers.
If you've decided that you need to add CORS headers to your API, you'll need to do two things. First, you need to determine which origins to whitelist. This is the domain that you wanna make requests from. Then add the CORS middleware to your server code and configure it with the origin you need to allow. I'll show you how to do that next.
- What is RESTful design?
- Building a new API with ASP.NET Core
- Using HTTP methods
- Returning JSON
- Creating RESTful routing with templates
- Securing RESTful APIs with HTTPS
- Representing resources
- Representing links
- Representing collections
- Sorting and searching collections
- Building forms
- Adding caching to an ASP.NET Core API
- Configuring user authentication and authorization
Skill Level Intermediate
1. REST API Concepts
2. Build a Basic API
3. Versioning and Errors
4. Secure the API
5. Represent Resources
6. Represent Links
7. Represent Collections
Add pagination7m 37s
8. Sorting Collections
9. Searching Collections
10. Forms and Modifying Data
11. Caching and Compression
12. Authentication and Authorization
- Mark as unwatched
- Mark all as unwatched
Are you sure you want to mark all the videos in this course as unwatched?
This will not affect your course history, your reports, or your certificates of completion for this course.Cancel
Take notes with your new membership!
Type in the entry box, then click Enter to save your note.
1:30Press on any video thumbnail to jump immediately to the timecode shown.
Notes are saved with you account but can also be exported as plain text, MS Word, PDF, Google Doc, or Evernote.