sumansuhag commented on issue #9899: URL: https://github.com/apache/apisix/issues/9899#issuecomment-3108208276
Okay, so the problem is that the CORS plugin only deals with response headers, not controlling which methods can be used. If you want to block POST requests from other sites but still allow GET, here's what you gotta do: 1. Set up your backend to only allow certain methods (using APISIX route configs or other security plugins). 2. Make sure the `allow_methods` in your CORS plugin is set up right (with the methods separated by commas). 3. Don't just depend on CORS headers to keep things secure. This two-step method makes sure your CORS is secure and follows standards, while your server handles request filtering. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
