Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

CORS-enabled server not denying requests

Tags:

node.js

cors

express

restify

I am trying to use express Cors with my resitfy server and it doesn't seem to be denying requests coming from other ips. I am working locally so I tried setting origin to a random public ip but all of my requests are still going through

Here is my route:

module.exports = function(app) {
    var user = require('./controllers/userController');
    var cors = require('cors');
    var corsOptions = require('./cors.json');


    app.post('/auth/signup', cors(corsOptions),user.createUser);
    app.post('/auth/login', cors(corsOptions), user.validateUser);
    app.post('/auth/generateKeys', cors(corsOptions), user.generateKeys);
    app.post('/auth/generateToken', user.generateToken);
};

and here is my cors.json file where I have set a random ip:

{
    "origin": "http://172.16.12.123",
    "optionsSuccessStatus": 200,
}

With cors set on the route I can see the following in postman but the request is still going through? I would expect an access denied response.

Access-Control-Allow-Origin →http://172.16.12.123

like image 923
Sam Munroe Avatar asked Jul 13 '17 00:07

Sam Munroe

1 Answers

CORS configuration on its own isn’t going to cause a server to deny requests. You can’t cause server-side blocking of requests just through CORS configuration.

The only thing a server does differently when you configure it with CORS support is just to send the Access-Control-Allow-Origin response header and other CORS response headers. That’s it.

Actual enforcement of cross-origin restrictions is done only by browsers, not by servers.

So no matter what server-side CORS configuration you make to a server, the server still goes on accepting requests from all clients and origins it would otherwise; in other words, all clients from all origins still keep on getting responses from the server just as they would otherwise.

But browsers will only expose responses from cross-origin requests to frontend JavaScript code running at a particular origin if the server the request was sent to opts-in to permitting the request by responding with an Access-Control-Allow-Origin header that allows that origin.

That’s the only thing you can do using CORS configuration. You can’t make a server only accept and respond to requests from particular origins just by doing any server-side CORS configuration. To do that, you need to use something other than just CORS configuration.

like image 159
sideshowbarker Avatar answered Sep 20 '22 23:09

sideshowbarker
Sign in to Comment

Related questions

Using a for loop in a Mocha Test
Unable to interact with anything in Cordova app
Express Router "Cannot GET ..." on browser screen
Cannot find type definition file for 'core-js'
mongoose Model.update() - only update provided values
wedriverio jenkins - npm command not found error
How to add many records to mongoDB from directory of JSON files?
How do you read from a file on mocha prior to running tests?
Express ip filter for specific routes?
Getting access token with axios
TypeError: Cannot read property 'substr' of undefined - source-node.js
How to send a http response using koajs
Install for @angular/cli not working on Mac
node.js get result from mysql query
Allowing write access only to Cloud Functions for Firebase
Cannot find module 'D:\nodejs\node_modules\webpack\bin\webpack.js'
How should we name or map SQL tables from Postgres to Node?
Using multiple router in express
connecting to Mongo DB with mongoose version (4.11.0) [duplicate]
How to populate documents with unlimited nested levels using mongoose

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!