Require that every browser-facing API sets a deliberate, least-privilege CORS policy, so I want explicit allowed origins, methods, and headers rather than a lazy wildcard slapped on to make an error go away. I care about this because CORS is a security boundary, and a careless Access-Control-Allow-Origin of star, especially paired with credentials, quietly hands your API to any website that wants to ride a user's session. Name the origins you actually trust, scope the allowed methods and headers to what your clients really use, and treat any loosening of the policy as a decision that gets reviewed. Define it in the contract and enforce it at the gateway so browser access is intentional, not accidental.
CORS (Security)
Strategies
API Data Is Classified and Protected
All data exposed through APIs must be classified by sensitivity level, with appropriate protections applied based on classification, ensuring that PII, financial data, and other sensitive informati...
Experiences
Security
API security is a top priority for any enterprise, with even higher standards for externally available APIs. However, security doesn’t end with the APIs an enterprise produces—it also applies to co...
Access
Gaining the necessary access to effectively use an API is often more challenging than it appears. Intentional and unintentional barriers can create friction in discovering and onboarding with an AP...
Trust
Establish trust with API consumers will evolve and build over time, and is something that can be lost in a very short period of time. Trust will depend on other experiences like quality and reliabi...
Lifecycle
security Security Production
Security runs through every stop on this lifecycle, but it also deserves its own attention. OWASP alignment, vulnerability scanning, and defense in depth protect both the provider and the consumer....
balance Governance Production
Governance is how everything on this lifecycle stays aligned as an operation scales. Policies, rules, and standards applied consistently across teams are what keep APIs coherent without slowing eve...