For a public API, is it safe to send JSON as text/plain and include an auth token in a non-standard...

This post has been de-listed

It is no longer included in search results and normal feeds (front page, hot posts, subreddit posts, etc). It remains visible only via the author's post history.

For a public API, is it safe to send JSON as text/plain and include an auth token in a non-standard header to get around preflight?

Post Body

I'm writing a public API that I expect to be used across an unknown number of domains. If I include my JWT token in the Authorization header, it will trigger a preflight response per the CORS spec. For my purposes of designing a public API, this is detrimental to performance as it requires two round trips to the server (OPTIONS request, followed by the GET/POST). Since my OPTIONS will always return the same thing (access-control-allow-origin: *), there's little point in the preflight.

Sadly however, a Content-Type of application/json will also trigger a preflight response.

What I'm considering is providing a "fast" version of the API where the consumers can send JSON with a Content-Type of text/plain and set their Authorization token in a non-standard header (i.e. Width).

The questions I have are given my use cases,

a.) Is this dangerous in any way

b.) Is this a good idea?

Author

Account Strength

100%

Account Age

15 years

Verified Email

Yes

Verified Flair

Total Karma

157,835

Link Karma

25,176

Comment Karma

131,624

Profile updated: 4 days ago

Posts updated: 5 months ago

pwnies

Subreddit

r/webdev

Post Details

We try to extract some basic information from the post title. This is not always successful or accurate, please use your best judgement and compare these values to the post title and body for confirmation.

Posted: 4 years ago
Reddit URL: View post on reddit.com
External URL: reddit.com/r/webdev/comm...