"angular: a wildcard '*' cannot be used in the 'access-control-allow-origin' header when the credentials flag is true" Code Answer
5
response should only have the accepted headers in access-control-allow-headers, don't use wildcard.
as far as it being safe, note the comment from @jules in this post about cors:
note that sending the http origin value back as the allowed origin
will allow anyone
to send requests to you with cookies, thus potentially stealing a session from a user
who logged into your site then viewed an attacker's page. you either want to send '*'
(which will disallow cookies thus preventing session stealing) or the specific domains
for which you want the site to work.
see also the following for examples:
wildcard not accepted in access-control-allow-headers
specify headers access-control-allow-headers
alternative approach
you can just set the origin header to:
access-control-allow-origin: *
if you don't need to include cookies in your request remove:
access-control-allow-credentials: true
remove the wildcard from access-control-allow-headers and add authorization and then pass that header as part of your request for authorization, instead of passing credentials in a cookie, ex:
response should only have the accepted headers in access-control-allow-headers, don't use wildcard.
as far as it being safe, note the comment from @jules in this post about cors:
see also the following for examples:
wildcard not accepted in access-control-allow-headers
specify headers access-control-allow-headers
alternative approach
you can just set the origin header to:
if you don't need to include cookies in your request remove:
remove the wildcard from access-control-allow-headers and add authorization and then pass that header as part of your request for authorization, instead of passing credentials in a cookie, ex:
also, add the options to allowed methods.