"origin" is undefined when requests are received from the same server AND when malicious requests are sent from a program

[dancherb]

I want to allow requests only to be made to my server from the same domain. It's been indicated that "origin" is undefined when this is the case, and so you should approve requests in this case.

const whitelist = []

const corsOptions = {
    origin: function (origin, callback) {r
        if(!origin || whitelist.indexOf(origin) !== -1) {
            callback(null, true)
        } else {
            callback(new Error('Not allowed by CORS'))
        }
    }
}

However - when I simulate malicious requests to my deployed server by using a program on my local computer (REST Client extension for VSCode), "origin" is also logged as undefined and the requests are allowed through.

This does also seem to be the case when no cors is enabled at all.

How can I prevent malicious requests to my server, such as those made by Postman and other programs?

[dougwilson]

Hi @dancherb this module is here to set up rules around the origin header provided by the client, following the CORS specification. The CORS specification is a double-opt-in system where both the client and the server have to opt in (the client by sending the origin header and the server by using something like this module). CORS is an abbreviation of "cross-origin resource sharing" -- for the server to tell the client it's OK to share something that the client otherwise wouldn't. CORS is not a server-side security mechanism, as it 100% relies on data sent by the client and assist the security system in the client.

That's a long way to say: your use-case falls outside of what CORS is for.

To protect against unauthorized sources, you will likely need to implement authentication and authorization.