Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

req.headers.origin is undefined

Fairly new to Node and Express. I have a sails.js app that relies on knowing the origin of a request as I need to authenticate the request is coming from a domain that is registered.

I've seen in the logs that the origin is empty occasionally, why would this be happening? Is it not a good idea to rely on the origin property, is there another option?

Thanks

like image 749
Giles Butler Avatar asked Apr 09 '15 06:04

Giles Butler


People also ask

What is req headers origin?

The Origin request header indicates the origin (scheme, hostname, and port) that caused the request. For example, if a user agent needs to request resources included in a page, or fetched by scripts that it executes, then the origin of the page may be included in the request. Header type. Request header.

What is origin and referer in request header?

"The Origin request header indicates where a fetch originates from. It doesn't include any path information, but only the server name. It is sent with CORS requests, as well as with POST requests. It is similar to the Referer header, but, unlike this header, it doesn't disclose the whole path." source.

How do I change my HTTP request on Origin?

You cannot change the Origin header the browser sends when your JavaScript asks it to make an HTTP request. (Firefox, at least, will ignore attempts to set it). There isn't any point in changing it anyway.

How do I set REQ headers?

In the Name field, enter the name of your header rule (for example, My header ). From the Type menu, select Request, and from the Action menu, select Set. In the Destination field, enter the name of the header affected by the selected action. In the Source field, enter where the content for the header comes from.


2 Answers

The origin may be hidden if the user comes from an ssl encrypted website.

Also: Some browser extensions remove origin and referer from the http-request headers, and therefore the origin property will be empty.

You might want to create some sort of authentication token and pass it as a parameter, instead on relying on request headers. Especially since the headers can be faked/manipulated.

like image 95
Peanut Avatar answered Sep 20 '22 09:09

Peanut


Try with this:

app.use(function(req, res, next) {
  res.header("Access-Control-Allow-Origin", req.header('origin'));
  res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
  res.header("Access-Control-Allow-Credentials","true");
  next();
}); 
like image 27
josebetomex Avatar answered Sep 21 '22 09:09

josebetomex