I try to do some request from a javascript client to rest api build with Django rest framework. All GET request to /api/test are public, then no session or token or watever are needed. All POST to api/test are private and user have to use oauth2
According to the documentation, I have to manage cross origin request with django-core-headers. After installing this module to my django, I've set
CORS_ORIGIN_ALLOW_ALL
to True
but:
1) is it a good practice ?
2) is there a good solution to allow cross origin request only on some points ?
Thanks
With django-core-headers you can restrict CORS origins with
CORS_ORIGIN_WHITELIST
andCORS_ORIGIN_REGEX_WHITELIST
. If you don't need to allow arbitrary origins, then set those; otherwise, you're good.You could, if you wanted to, write a decorator to check origin in your views to see if it matches a desired origin (perhaps something set on whatever model is tracking which users are authorized for POST requests?). But if you're allowing GET requests from any arbitrary origin, and don't care where POST requests come from as long as they are authorized, then you're in the clear--after all, how can you restrict origin if you don't know where clients might make requests from?