We have currently enabled CORS on the server and have allowed only certain origins, headers and methods to allowed over CORS.
We are planning to allow all headers to be allowed over CORS, i.e., set the EnableCorsAttribute.Headers to *.
Is there any security concerns/risks that i should be aware of ?
Thanks
You shouldn't just use * as a cros domain but from a diffrenet reason that you may think, not all of the browsers by default will allow to use wild card (*) for security reasons, so you should just returned as allowed the address of your incoming requests.
If you are providing a service that's open to the all world, so that's what you should do, if not, just noticed that you are open to the all world.
