Home > other >  When to choose: CORS vs DPOP?
When to choose: CORS vs DPOP?

Time:11-19

While CORS and DPOP very different mechanisms, don’t they effectively do the same thing?

i.e. prevent unauthorized access to a resource server?

Why choose one over the other?

CodePudding user response:

CORS does not prevent anything. It's used to selectively reduce security and allow servers to tell clients on other origins which requests they are allowed to make.

dPop is a way for a client to proof that they hold a private key when authenticating with OAuth2, without disclosing the key.

They are completely different mechanisms, and mostly unrelated. Lots of security features ultimately help prevent things from being "stolen", but you can't cafeteria-style pick the security feature you like. Chances are you need to be aware of all of them. Most are complimentary and the ones that are redundant are typically still used anyway (see 'Security in Depth')

CodePudding user response:

No, the outcome of these two is not the same. CORS does not "prevent unauthorized access to a resource server". Thanks to CORS you might block some unwanted access from malicious code that is running in a browser on a domain that you didn't authorize to call you. Still, CORS relies on the browser to block any requests/responses that do not follow your CORS policies. Anyone can still call your endpoints bypassing the browser and having CORS configured won't stop them from doing so. With DPoP you authenticate the caller, so you can authorize access to your endpoints.

  • Related