Plumber and CORS for public API

I have a public API deployed on Digital Ocean (via plumberDeploy). It's working fine when I test it in my browser and in R. When testing in an Observable HQ notebook however, I get a CORS error and can not fetch the data.

From the plumber documentation and this plumber issue, it looks like I can add

#* @filter cors
cors <- function(res) {
    res$setHeader("Access-Control-Allow-Origin", "*")

to my plumber.R file to resolve this.

My question is, are there security risks to using the CORS wildcard * ? Since the API is public, my thought is this should be fine. But I'm new to all this so I was hoping someone could weigh in.

I suggest going over this excellent article on CORS

1 Like

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

If you have a query related to it or one of the replies, start a new topic and refer back with a link.