I have a REST API backed with Symfony 4.3 and NelmioCorsBundle for the CORS. I would like to understand if by definition/best practice, it's correct that my security team requires me to respond OPTIONS requests indicating methods list (Access-Control-Allow-Methods) only with the methods that actually are meant to be used with the particular requested endpoint, instead of a complete list that are used by my entire API.
There's some documentation that clearly clarifies what is correct? So that it is not subject to different interpretations about how.
The vast majority of tutorials and resources like MDN website, gives examples including all the methods (GET, PUT, PATCH...) but never clarifies that. The NelmioCorsBundle doesn't give us any way to take from routes definition. It's for single configuration only.
The Fetch standard, which is the de facto specification for CORS, makes no prescription about this:
In practice, different CORS middleware libraries do different things. Some (like rs/cors) only reflect the one method, whereas others (like Express's CORS middleware) always list all the allowed methods.
You could argue that always listing all the methods allowed by your CORS configuration in the
Access-Control-Allow-Methodsresponse header is "safer":Access-Control-Allow-Methodsheader is necessary for CORS preflight to succeed.If you're worried about revealing too much about other endpoints, you should be able to apply different CORS configurations to different endpoints.