this post was submitted on 15 Dec 2024
36 points (100.0% liked)

Programming

17712 readers
24 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]

founded 2 years ago
MODERATORS
snowe
Ategon
[email protected]
36
I built a full-stack app, how should I host it? (self.programming)
submitted 2 weeks ago by echodrift to c/programming
8 comments fedilink hide all child comments
 

So basically I built a backend with some working endpoint and I built a React Frontend. I can run both things locally and I hosted the page on Cloudflare pages which is working. But now I’m wondering if that’s a good idea?

I have never done this before and I’m wondering if it’s secure enough to host the backend on some server and allow a CORS header to let the Frontend generate requests?

The alternative would be to host Frontend and backend on a VPS and then route my domain that I bought on Cloudflare there, but then I’m thinking that in case my Frontend is insecure somehow the whole instance would be compromised, no?

I hope this is the right platform to ask as I’m pretty new here.

you are viewing a single comment's thread
view the rest of the comments
[–] MajorHavoc 5 points 2 weeks ago

CORS is just an ask for browsers specifically to stop cross domain communication, it protects the users not you.

A minor point of clarification to this point.

CORS also provides substantial protection to the server admin against innocent users being manipulated into taking malicious actions.

So there is some value to the server admin as well.

Sure, any malicious actor can assault the back end directly, but often they have no ability to attack from a context of authenticated trust.

A CORS misconfiguration makes the system more vulnerable to attacks that manipulate legitimate users into taking malicious actions.

So a CORS misconfiguration can lead to malicious actions coming in through highly trusted contexts, which can sometimes be substantially more harmful that random unauthenticated attack spam.