Web API integrations are not only convenient, but also a potential source of vulnerabilities. We provide full support for CORS (Cross-Origin Resource Sharing), as well as protection mechanisms against cross-site request forgery (CSRF) and malicious JavaScript (XSS) injection.
These measures are especially important when working with browser clients, frontend, dashboards and third-party integrations.
What is implemented
| Mechanism | Purpose and benefits |
|---|---|
| CORS settings | Restrict API access from trusted domains only |
| CSRF tokens | Check the legitimacy of POST/PUT requests from the browser |
| Cookie SameSite | Blocking unauthorized cross-domain cookies |
| XSS filtration | Clean up input and protect against script injection |
| Content Security Policy (CSP) | Manage allowed script and resource sources |
How does it work
1. Configure trusted source lists ('Access-Control-Allow-Origin')
2. All requests pass CORS preflight (OPTIONS) with header validation
3. For forms, uses a CSRF token that is verified on the server
4. All input data is XSS filtered and screened
5. CSP restricts execution of scripts only from authorized sources
API and frontend benefits
Prevent theft of data and tokens through third-party sites
Safe work with browsers, SPA and third-party integrations
Flexible configuration of allowed domains, methods, headers
Protect sessions and authorization from tampering or capture
Increase user and auditor confidence in your API
Where especially important
Web applications using APIs from browser
Dashboards, personal accounts, admins
SPA applications and frontend on React, Vue, Angular
Platforms with custom tokens or cookie authorization
CORS, CSRF and XSS are the foundation of front-end security when working with APIs. We provide strong security and flexibility to keep your integrations both functional and secure.