Security implications of adding all domains to CORS (Access-Control-Allow-Origin: *)

Question

It is said that instead of adding all domains to CORS, one should only add a set of domains. Yet it is sometimes not trivial to add a set of domains. E.g. if I want to publi

Answer 1

Old question, but a lot of bad answers here so I have to add mine.

If you don't set Access-Control-Allow-Credentials, and you do cookie-less authentication (ie the caller supplies a Bearer Authorization header) then you don't need to whitelist origins. Just echo the origin back in Access-Control-Allow-Origin.

A well-structured REST API can be called safely from any origin.