So basically I built a backend with some working endpoint and I built a React Frontend. I can run both things locally and I hosted the page on Cloudflare pages which is working. But now I’m wondering if that’s a good idea?
I have never done this before and I’m wondering if it’s secure enough to host the backend on some server and allow a CORS header to let the Frontend generate requests?
The alternative would be to host Frontend and backend on a VPS and then route my domain that I bought on Cloudflare there, but then I’m thinking that in case my Frontend is insecure somehow the whole instance would be compromised, no?
I hope this is the right platform to ask as I’m pretty new here.
A minor point of clarification to this point.
CORS also provides substantial protection to the server admin against innocent users being manipulated into taking malicious actions.
So there is some value to the server admin as well.
Sure, any malicious actor can assault the back end directly, but often they have no ability to attack from a context of authenticated trust.
A CORS misconfiguration makes the system more vulnerable to attacks that manipulate legitimate users into taking malicious actions.
So a CORS misconfiguration can lead to malicious actions coming in through highly trusted contexts, which can sometimes be substantially more harmful that random unauthenticated attack spam.