Compatibility of the "Origin" http header for enforcing restrictions

Here's a list of compatible browsers and known issues. Now it's up to you if you can live with these limitations:

It's a valid concern. Someone could be using an older browser that doesn't fully support it. There might also be a bug in a beta version.

Also consider adding X-Frame-Options: SAMEORIGIN to your JSON API to prevent someone from including your site into an iframe.

Also consider prepending your returned JSON responses with special characters and manually strip them off in your JSON decoder. This is how Google does it: Why does Google prepend while(1); to their JSON responses?

Also consider, for extra, extra security, to include a nonce for each request, and sign the request to verify it came from your code instead of a phishing site. This is similar to how OAuth1.0 works. An alternative, is to generate a token for each session, which automatically expires, and to refresh the token when needed. This is how OAuth2.0 works. This allows invalidating access on demand, for example, if you find a bug, so old clients must upgrade.

CodeHunter

Compatibility of the "Origin" http header for enforcing restrictions

Recent Posts

How can I color dots in a xy scatterplot according to column value?

How to update a claim in ASP.NET Identity?

What does {0} mean when initializing an object?

Accessing members of items in a JSONArray with Java

How to log SQL statements in Spring Boot?

Powershell Get-WebSite name parameter is ignored

How to detect scroll to bottom of html element

Java synchronized method

How to test controllers with CodeIgniter?

Detect Visual Composer

Matplotlib: Specify format of floats for tick labels

Rails join a list of strings with commas and "and" before the last