Change default for `methods` option value to safe values

[Fdawgs]

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the issue has not already been raised

Issue

The methods option, which sets the Access-Control-Allow-Methods response header, currently defaults to GET,HEAD,PUT,PATCH,POST,DELETE. This exposes unsafe methods that can modify server state to cross-origin requests, potentially leading to security vulnerabilities if not properly controlled.

It should instead default to CORS-safelisted methods GET,HEAD,POST or be disabled (which is the same as setting it to GET,HEAD,POST).

This would be a breaking change if implemented.

[Uzlopak]

I think you are right. Semver major is imho fine

[KaKi87]

What's wrong with PUT, PATCH and DELETE ?

Shoud I change upsert, edit and delete actions to POST ?

This doesn't make any sense to me. 🤔

[Uzlopak]

@KaKi87

CORS is a security measurement and is used to deny access to the resource server by only allow whitelisted domains to access the resources.

Our Plugin by default allowed too many methods access without CORS. So we reduced the whitelist of methods to the safelisted ones.

So by default we are more restrictive. If you want to allow more methods to be by default whitelisted, it is your choice to configure this.

[KaKi87]

My reason for using this plugin is to be zero-config.

I downgraded to v10.

[Uzlopak]

You can even consider to removing this plugin from your server, as you clearly dont need CORS ;).