Clever Geek Handbook

CORS enabled server does not deny requests

I'm trying to use express Cors with my resitfy server and doesn't seem to deny requests coming from other ips.I'm working locally, so I tried to set the source to a random public ip, but all my requests still go through

Here is my route:

module.exports = function(app) {
    var user = require('./controllers/userController');
    var cors = require('cors');
    var corsOptions = require('./cors.json');


    app.post('/auth/signup', cors(corsOptions),user.createUser);
    app.post('/auth/login', cors(corsOptions), user.validateUser);
    app.post('/auth/generateKeys', cors(corsOptions), user.generateKeys);
    app.post('/auth/generateToken', user.generateToken);
};

and here is my cors.json file where I set a random ip:

{
    "origin": "http://172.16.12.123",
    "optionsSuccessStatus": 200,
}

With the courses set on the route, I can see the following in the postman, but the request is still ongoing? I expect the answer to be rejected.

Access-Control-Allow-Origin → http://172.16.12.123

+3


source to share


2 answers


CORS configuration alone will not cause the server to deny requests from any IP addresses. You cannot do this through CORS configuration alone.

The only thing the server does differently when you configure it with CORS support is to simply send the response header Access-Control-Allow-Origin

and other CORS response headers. Here it is.

The actual enforcement of CORS restrictions is only done by browsers, not servers.



Thus, regardless of the server-side CORS server configuration, the server still continues to accept requests from all clients and sources that it would otherwise have; in other words, all clients from all sources continue to receive responses from the server as they would otherwise.

However, browsers will only expose responses to cross-origin requests for external JavsScript code running on a particular origin, if the server to which the request was sent to allow the request by responding with a header Access-Control-Allow-Origin

that allows that origin.

This is the only thing you can do using CORS configuration. You cannot force the server to accept and respond to requests of a specific origin simply by doing any CORS configuration on the server side. To do this, you need to use something other than CORS configuration.

+4


source


CORS does not prevent anyone from sending GET or POST requests to your application or the API display URL.

Instead, it tells the web browser that AJAX requests are allowed for this server, from the domain they are made on.

But only AJAX requests made from the domain are controlled by CORS. Entering the URL in a web browser does not activate CORS: it is not a firewall .



https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

Order of events:

  • Domain A does AJAX on the user's browser to request an API url on Domain B

  • The custom browser sends a basic primary request for the target domain B and checks if CORS is allowed for domain A

  • If allowed, the AJAX request is made otherwise it null

    returns

+3


source






More articles:


All Articles