This post has been de-listed
It is no longer included in search results and normal feeds (front page, hot posts, subreddit posts, etc). It remains visible only via the author's post history.
I'm writing a public API that I expect to be used across an unknown number of domains. If I include my JWT token in the Authorization
header, it will trigger a preflight response per the CORS spec. For my purposes of designing a public API, this is detrimental to performance as it requires two round trips to the server (OPTIONS request, followed by the GET/POST). Since my OPTIONS will always return the same thing (access-control-allow-origin: *
), there's little point in the preflight.
Sadly however, a Content-Type
of application/json
will also trigger a preflight response.
What I'm considering is providing a "fast" version of the API where the consumers can send JSON with a Content-Type
of text/plain
and set their Authorization token in a non-standard header (i.e. Width
).
The questions I have are given my use cases,
a.) Is this dangerous in any way
b.) Is this a good idea?
Post Details
- Posted
- 4 years ago
- Reddit URL
- View post on reddit.com
- External URL
- reddit.com/r/webdev/comm...