The requirement listed in this section allows the browser to make requests, putting it on par with other application platforms. However, a concern that has been raised during our risk analysis of the API Security is that a blanket "Allow all" list of CORS Domains is insufficient to prevent script-kiddy attacks, and that some stronger form of protection can and should be supported, which could benefit not just browser based FHIR applications but others as well.

We'd like to see stronger guidance for securing an API Server deployed on the Internet from in appropriate access from unknown requesters, using something stronger than CORS Access-Control-Allow-Origin.