Home > other >  When to choose: CORS vs DPOP?
When to choose: CORS vs DPOP?

Time:11-19

While CORS and DPOP very different mechanisms, don’t they effectively do the same thing?

i.e. prevent unauthorized access to a resource server?

Why choose one over the other?

CodePudding user response:

CORS does not prevent anything. It's used to selectively reduce security and allow servers to tell clients on other origins which requests they are allowed to make.

dPop is a way for a client to proof that they hold a private key when authenticating with OAuth2, without disclosing the key.

They are completely different mechanisms, and mostly unrelated. Lots of security features ultimately help prevent things from being "stolen", but you can't cafeteria-style pick the security feature you like. Chances are you need to be aware of all of them. Most are complimentary and the ones that are redundant are typically still used anyway (see 'Security in Depth')

CodePudding user response:

No, the outcome of these two is not the same. CORS does not "prevent unauthorized access to a resource server". Thanks to CORS you might block some unwanted access from malicious code that is running in a browser on a domain that you didn't authorize to call you. Still, CORS relies on the browser to block any requests/responses that do not follow your CORS policies. Anyone can still call your endpoints bypassing the browser and having CORS configured won't stop them from doing so. With DPoP you authenticate the caller, so you can authorize access to your endpoints.

Page link:https//www.codepudding.com/other/614979.html

Prev:Laravel - How can i set the Auth::attempt to a user if i only have a JWT token with the email and th
Next:Why does gunicorn need to restart so often in my gcloud appengine app?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding