HttpClient CORS security issues


We are developing an ionic (Angular) application for ios and android that consumes a REST api we have developed. As you may know, in order to communicate with the backend, if we use the angular http client we have to configure the CORS by adding in the allowed headers capacitor://localhost and http://localhost.

Isn’t this a problem in terms of security? With this configuration any mobile application could make calls to our api, right?

Sure, another mobile application running on localhost could make requests to your API. But, really anyone could as well from the server side as CORS is only a browser/front-end mechanism.

Some ways to mitigate risk is having authentication for your API and rate limiting.