I have been checking my Graylog server’s security using tools like SSLlabs and Mozilla Observatory.
I configured my Graylog to be behind a nginx https reverse proxy to which I added some headers as mentioned in the scan results.
If I enable cors, as I understand I have to (unless I misunderstood), I get a horrible security rating.
rest_enable_cors = true
web_enable_cors = true
When exactly is a JS-client going to connect to my server? Is it my web browser’s JS engine needing to execute code and I need it enabled? As I see everything still seems to be working with cors disabled I’d rather keep it disabled.