Seng is right. I'll add that Access-Control-Allow-Origin is only allowed to be a * for unauthenticated requests. The browser will ignore Access-Control-Allow-Credentials: true if your allow-origins header is set to a wildcard. However, this leaves you open to distributed brute force login attacks. The right thing to do would be to check the Referer/Origin header against a known whitelist of sites you allow to access, and set your Access-Control-Allow-Origin header accordingly.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Seng is right. I'll add that
Access-Control-Allow-Origin
is only allowed to be a*
for unauthenticated requests. The browser will ignoreAccess-Control-Allow-Credentials: true
if your allow-origins header is set to a wildcard. However, this leaves you open to distributed brute force login attacks. The right thing to do would be to check the Referer/Origin header against a known whitelist of sites you allow to access, and set your Access-Control-Allow-Origin header accordingly.