0

Do I need to activate CORS on my API's server (i.e. return appropriate header in response) if the client connecting to it already provides Basic Auth information.

After lots of googling, the relation between CORS and Basic Auth from the client is still not clear to me . (if there is any relation...)

Does it make sense to have to enable CORS on the server if it already requires Basic Auth from client?

Is Basic Auth supposed to "by-pass" CORS, meaning the server shouldn't have to provided CORS headers as the request from the client is authenticated?

Are CORS and Basic Auth not related at all?

Thanks!

Nicolas
  • 2,191
  • 3
  • 29
  • 49

1 Answers1

0

Do I need to activate CORS on my API's server (i.e. return appropriate header in response) if the client connecting to it already provides Basic Auth information.

Yes (assuming you want to allow cross-origin requests).

Auth is there to make that that when Alice's browser requests some data from Bob's website, that Alice is authorised to get that data.

The Same Origin Policy stops Mallory's website from using JavaScript to make Alice's browser request that data from Bob's website and then pass it back to Mallary without Alice knowing.

CORS lets you selectively disable the Same Origin Policy so that Mallory's website can be given permission to get that data.

Are CORS and Basic Auth not related at all?

Correct. They are not.

Further reading

Community
  • 1
  • 1
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335