Today, there are many applications that depend on APIs to access different resources. Some of the popular APIs include weather, time, and fonts.
There are also servers that host these APIs and ensure that information is delivered to websites and other end points. Therefore, making cross-origin calls, is a popular use case for the modern web application.
Let’s say accessing images, videos, iframes, or scripts from another server. This means that the website is accessing resources from a different origin or domain. When building an application to serve up these resources with Express, a request to such external origins may fail. This is where CORS comes in to handle cross-origin requests.
What is CORS?
CORS stands for Cross-Origin Resource Sharing. It allows us to relax the security applied to an API. This is done by bypassing the Access-Control-Allow-Origin headers, which specify which origins can access the API.
In other words, CORS is a browser security feature that restricts cross-origin HTTP requests with other servers and specifies which domains access your resources.
Ex: When we give the Boolean value which indicates to allow cross-site AccessControl as true, request is being made using credentials such as cookies and authorization headers.
Client side:
Server Side:
To send credentials or allow access to resource to a specific domain we give their origin.
Ex: To send credentials or allow access to resource to multiple domains.
Ex: Any page can have access,
Performing requests with API:
Not every method should be exposed to other origins. Within CORS middleware, you can specify which methods can be accessed by the CORS policy.
The problem we faced.
In our case, the sent cookie-session was set in Response-header, in set-cookie. But the cookie was not reflecting in Cookie-Storage. Now we have overcome the problem by passing the credentials in CORS.
Conclusion:
When you deploy an application on the server, you should not accept requests from every domain. Instead, you should specify which origin can make requests to your server. This way, you are able to block users who attempt to clone your site or make requests from an unauthorized server. This is important a security measure.
Comments
Post a Comment