CORS (Cross-Origin Resource Sharing)
CORS (Cross-Origin Resource Sharing) is a security feature implemented by web browsers to prevent malicious websites from making requests to a different domain than the one that served the web page. It allows servers to specify which origins are permitted to access their resources.
Key Points about CORS
- CORS ensures that only allowed origins can access server resources.
- It acts as a pre-flight check, where the browser sends a request to the server to verify permissions before making the actual request.
- CORS does not handle authentication or user roles; it only determines if a request is allowed to proceed.
Example: Stripe API
- A browser wants to make a POST request to Stripe's API.
- The browser first sends a pre-flight request to Stripe to check if the client is allowed to communicate.
- Stripe responds with CORS options, specifying allowed origins, headers, and methods.
- If the client is allowed, the browser sends the actual request.
Authentication vs. CORS
- CORS: Determines if a request is allowed to proceed.
- Authentication: Identifies the user, their role, and permissions.
Multi-Tenant Databases and Authentication
- A multi-tenant database stores data for all users in a single database.
- Authentication ensures:
- User 1 can only access their data.
- User 2 cannot see User 1's data.
- This is crucial for scoping queries and rights to the correct user.