DEV Community


Discussion on: Understanding CORS

g33konaut profile image
Martin Splitt Author

Note that without CORS headers the request is still happening, you just don't have access to the response. Unless you have some server-side mechanism to detect requests from other origins, you could still run the risk of CSRF. I'm with @theincorrigible1 that you should protect against CSRF on any inputs that can change state.

Here's a potential example:

  • Say your router is at and there's a form to change the admin password with a POST request, e.g. POST to with a body like "password=abc123".
  • If some website now makes such a request, it won't see the response from the router (that's what CORS prevents), but the request would happen and possibly change your router password..
iamandrewluca profile image
Andrew Luca

Now I get it.
But can the attacker make a simple request, and get a CSRF token,
then make second request with that token included?