Senior Security Engineer
a.k.a., I'm a hacker
Slack is used by millions of people every day – we need engineers who want to make that experience as secure and enjoyable as possible.
frowning.wtfURLs are fake.
Content-Typeheader as a way to secure your API.
Lots of requests can't be made from URL1 to URL2 if they differ on the following things:
We care about CORS because of the protection offered by the Same Origin Policy (SOP).
That token gets stored on the server as well.
When the form is submitted, the token is sent with the form data and validated on the server.
Content-Typeyour API doesn't consume.
multipart/form-data, can go cross origin
text/plain, can go cross origin
application/x-www-url-form-encoded, can go cross origin
application/json, can't go cross origin without CORS
application/xml, can't go cross origin without CORS
www.frowning.wtf- contains your frontend + any monolith code
www.frowning.wtf/admin- administrator site