Access-Control-Allow-Credentials:true on Cloudflare access page

When accessing a Cloudflare access page **Access-Control-Allow-Credentials is set to true leading to CORS. Why is this security header implemented on access pages? Can this be removed safely?

This isn’t specific to CF. Many static hosting providers in 2020s automatically turn that on, github for example. Its too convenient to not turn CORS headers on on the static side if you have a dynamic site domain (no CF maybe) and a static-ish site domain. If its static content and not behind auth and your not paying per GB transferred, if a 3rd party hot links to you or CORS links to your content, it doesn’t affect you financially. Remember curl, python, nodejs, and a CFW can always bypass CORS protection through a cloud proxy and still hotlink your content.

But why expose credentials on a Cloudflare access page. This page requires an email and then code to access the resource. There seems no need to have this. I see you your point though, thank you for your reply.

Another idea is CF wants its clients to store its __cfduid cookie if at all possible for anti-DDOS/separating CGNAT users? CF doesn’t care if a client never accepts the __cfduid cookie, but it likes to issue that cookie in every response until the client finally stores it (sometimes never if the site is purely XHR/Fetch() domain).

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.