Why is CORS important for EUDI Wallet web applications?

EUDI Wallet verification often happens through web browsers -- for example, when a user logs into a government portal or verifies their age on an e-commerce site. The verification website (the relying party) needs to communicate with EUDI Wallet APIs and credential verification endpoints hosted on different domains. Without proper CORS headers, the browser would block these cross-origin requests as a security measure. However, CORS must be configured restrictively -- only authorized relying party domains should be allowed to access wallet APIs, preventing malicious websites from making unauthorized requests.

What is the difference between CORS and the same-origin policy?

The same-origin policy is the browser default that blocks web pages from making requests to different origins (a combination of protocol, domain, and port). CORS is the mechanism that selectively relaxes this restriction. When a browser makes a cross-origin request, it first sends a preflight OPTIONS request to the target server. The server responds with CORS headers specifying which origins, methods, and headers are allowed. Only if the response permits the requesting origin does the browser proceed with the actual request. For EUDI Wallet services, this means only verified relying party domains receive cross-origin access.

What are common CORS misconfigurations in identity systems?

The most dangerous misconfiguration is setting Access-Control-Allow-Origin to wildcard (*), which allows any website to access the API. This would let malicious sites make requests to EUDI Wallet verification endpoints on behalf of the user. Other risky configurations include reflecting the Origin header without validation, allowing credentials (cookies/tokens) with overly broad origins, or missing the Access-Control-Allow-Methods restriction. EUDI Wallet services should whitelist specific relying party domains and regularly audit their CORS configuration.

CORS (Cross-Origin Resource Sharing)

CORS

security

Full Name: Cross-Origin Resource Sharing

Definition

Cross-Origin Resource Sharing (CORS) is a security mechanism implemented by web browsers that controls how web pages from one origin (domain, protocol, and port combination) can request resources from a different origin. CORS extends the browser's same-origin policy by using HTTP headers to declare which cross-origin requests a server permits. For EUDI Wallet web-based flows -- including online credential verification, wallet registration, and relying party integration -- CORS configuration determines which websites can interact with wallet APIs and credential verification endpoints.

How CORS Works: The Preflight Mechanism

When a web page makes a cross-origin request (for example, a relying party website at bank.example.com calling an API at wallet-api.eudi.eu), the browser follows a specific CORS protocol:

For simple requests (GET or POST with basic headers), the browser sends the request directly but includes an Origin header. The server responds with Access-Control-Allow-Origin indicating whether that origin is permitted. The browser only exposes the response to the page if the origin is allowed.

For complex requests (PUT, DELETE, or requests with custom headers like Authorization), the browser first sends a preflight OPTIONS request asking the server what is permitted. The server responds with headers like Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers. Only if the preflight response permits the intended request does the browser send the actual request.

The Access-Control-Max-Age header tells the browser how long to cache the preflight response, reducing latency for subsequent requests. The Access-Control-Allow-Credentials header controls whether cookies and authorization headers can be included in cross-origin requests -- critical for authenticated EUDI Wallet API calls.

CORS Configuration for EUDI Wallet Services

EUDI Wallet backend services interact with web-based relying parties through several endpoints that require CORS configuration:

•Authorization endpoints: Where relying parties initiate credential presentation requests. CORS must allow the relying party's specific domain to make POST requests with JSON content types.
•Credential verification endpoints: Where verifiers submit presentation tokens for validation. These require authenticated cross-origin access with appropriate credential headers.
•Status/revocation endpoints: Where verifiers check credential validity. These may use more permissive CORS settings since they serve public revocation data, but should still not use wildcard origins in production.
•Metadata endpoints: Serving OpenID configuration, credential schemas, and trust framework data. These are typically read-only and may allow broader CORS access.

Security Best Practices

For EUDI Wallet deployments, CORS security requires careful attention:

•Never use wildcard (*) for Access-Control-Allow-Origin on authenticated endpoints. Maintain an explicit allowlist of registered relying party domains.
•Validate the Origin header server-side against the registered relying party registry. Do not simply reflect the Origin header back, as this effectively makes the policy a wildcard.
•Use Access-Control-Allow-Credentials: true only when necessary, and never in combination with wildcard origins.
•Regularly audit CORS headers across all EUDI Wallet service endpoints as part of security compliance checks.

What is CORS (Cross-Origin Resource Sharing)?

CORS: Cross-Origin Resource Sharing in EUDI Wallet Web Services

CORS

Definition

How CORS Works: The Preflight Mechanism

CORS Configuration for EUDI Wallet Services

Security Best Practices

Related Terms

CSP

CSRF

Frequently Asked Questions

Verwandte Leitfäden

→ Glossary Index

→ CSP

→ CSRF

Quellen

⚠️ Independent Information