Rest endpoint sets CORS headers
Is there a way to turn off the generation of these headers?
Edited by Maxime : Thanks you for your report, I sent you an email about this.
Assuming you are using the on premise version of the Search API, it is possible to configure the Search API regarding CORS options.
Hey thanks for the report!
I work more on the platform side so I'm not a Coveo for Sitecore expert (those are all asleep at the moment), but I assume this means that requests to `/rest/search` are reverse-proxied through the Sitecore site over to the Coveo Cloud platform. In this case, if you site uses cookie for authentication (hardly an uncommon practice!) you are right that this indeeds opens up a potential security issue.
When using the platform directly cookies aren't used for authentication - the access or search token must be passed manually through the `Authorization` HTTP header so a foreign site can't magically gain access to the service through cookies. So in this case it's OK to put the headers as they are, but definitively the Coveo for Sitecore reverse proxy (if my assumptions about it existing are right) should not forward those.
This looks pretty important so I'll alert the proper teams right away so they can have a look at this right away.
Again, thanks for reporting!