1

I just check our new website back-end code, and I found this:

services.AddCors(o => o.AddDefaultPolicy(builder =>
           {
               builder.AllowAnyOrigin()
                   .AllowAnyMethod()
                   .AllowAnyHeader();
           }));


services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
{
    options.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuer = true,
        ValidateAudience = true,
        ValidateLifetime = true,
        ValidateIssuerSigningKey = true,
        ValidIssuer = Configuration["Jwt:Issuer"], //--> AppSetting.Json
                    ValidAudience = Configuration["Jwt:Issuer"], //--> AppSetting.Json
                    IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Jwt:Key"]))
    };
});

Is it safe or not? Is User authentication enough if anyorigin is allowed?

jps
  • 20,041
  • 15
  • 75
  • 79
allpacka
  • 27
  • 1
  • 4

1 Answers1

3

Short answer: no

Long answer: What are the security risks of setting Access-Control-Allow-Origin?

Epic Martijn
  • 335
  • 2
  • 12