Understanding cors settings better

I have been checking my Graylog server’s security using tools like SSLlabs and Mozilla Observatory.

I configured my Graylog to be behind a nginx https reverse proxy to which I added some headers as mentioned in the scan results.

If I enable cors, as I understand I have to (unless I misunderstood), I get a horrible security rating.
rest_enable_cors = true
web_enable_cors = true

When exactly is a JS-client going to connect to my server? Is it my web browser’s JS engine needing to execute code and I need it enabled? As I see everything still seems to be working with cors disabled I’d rather keep it disabled.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.