I saw another question about using CORS with Access-Control-Allow-Origin: * and the biggest concern was Cross-Site Request Forgery attacks.
I was wondering if the same concerns apply when using it with the AWS API Gateway.
The CORS documentation for API Gateway does not mention any downsides to CORS.
However, the S3 CORS documentation shows Access-Control-Allow-Origin: * only being used with GET, but specifies an origin for PUT, POST, and DELETE.
For my specific use case I wanted to do what the api gateway documentation says: use a JavaScript client to calls an API deployed on a different domain (i.e. my-api-id.execute-api.region-id.amazonaws.com/test). I am passing an api-key for each request.
Is it safe to use Access-Control-Allow-Origin: * on GET,POST,PUT,DELETE?