The Node Security project just released an advisory about the CORS implementation in Sails.
tldr; If you are using CORS in your Sails app, review your configuration to be sure it is secure.
If your app has vulnerable CORS configuration, there are two ways to resolve it:
- Either replace
origin: '*'with a specific set of whitelisted domains - Or set
credentials: false
See Concepts > Security > CORS in the Sails docs for more information on how CORS works, and how to use it.
Note that you don’t necessarily need to upgrade to v0.12.7 — although if possible, it’s a very good idea. As of 0.12.7, Sails will log a warning if you lift your app in production when vulnerable CORS settings are detected.
For more background on this advisory, see the relevant discussion on GitHub. Big thanks to Evan Johnson, @irond13, Scott Gress, and Nick Starke for all their help!
