Browsers are in control of setting the Origin
header, and users can't override this value. So you won't see the Origin
header spoofed from a browser. A malicious user could craft a curl request that manually sets the Origin
header, but this request would come from outside a browser, and may not have browser-specific info (such as cookies).
Remember: CORS is not security. Do not rely on CORS to secure your site. If you are serving protected data, use cookies or OAuth tokens or something other than the Origin
header to secure that data. The Access-Control-Allow-Origin
header in CORS only dictates which origins should be allowed to make cross-origin requests. Don't rely on it for anything more.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…