Oct 20th, 2016

The Node Security project just released an advisory about the CORS implementation in Sails.

tldr; If you are using CORS in your Sails app, review your configuration to be sure it is secure.

If your app has vulnerable CORS configuration, there are two ways to resolve it:

  1. Either replace origin: '*' with a specific set of whitelisted domains
  2. Or set credentials: false
Image for post
Image for post

See Concepts > Security > CORS in the Sails docs for more information on how CORS works, and how to use it.

Note that you don’t necessarily need to upgrade to v0.12.7 — although if possible, it’s a very good idea. As of 0.12.7, Sails will log a warning if you lift your app in production when vulnerable CORS settings are detected.

For more background on this advisory, see the relevant discussion on GitHub. Big thanks to Evan Johnson, @irond13, Scott Gress, and Nick Starke for all their help!

Written by

We make Sails work and things work with Sails.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store