启用了CORS的服务器不拒绝请求 [英] CORS-enabled server not denying requests

问题描述

我正尝试在我的resitfy服务器上使用express Cors 拒绝来自其他IP的请求.我在本地工作，所以我尝试将来源设置为随机的公共IP，但我的所有请求仍在处理中

I am trying to use express Cors with my resitfy server and it doesn't seem to be denying requests coming from other ips. I am working locally so I tried setting origin to a random public ip but all of my requests are still going through

这是我的路线:

module.exports = function(app) {
    var user = require('./controllers/userController');
    var cors = require('cors');
    var corsOptions = require('./cors.json');


    app.post('/auth/signup', cors(corsOptions),user.createUser);
    app.post('/auth/login', cors(corsOptions), user.validateUser);
    app.post('/auth/generateKeys', cors(corsOptions), user.generateKeys);
    app.post('/auth/generateToken', user.generateToken);
};

这是我的cors.json文件，在其中我设置了一个随机IP:

and here is my cors.json file where I have set a random ip:

{
    "origin": "http://172.16.12.123",
    "optionsSuccessStatus": 200,
}

在路线上设置了cors后，我可以在邮递员中看到以下内容，但请求仍在处理中?我希望访问被拒绝.

With cors set on the route I can see the following in postman but the request is still going through? I would expect an access denied response.

Access-Control-Allow-Origin→ http://172.16.12.123

推荐答案

CORS本身不会导致服务器拒绝来自任何IP的请求.您不能仅通过CORS配置来做到这一点.

CORS configuration on its own isn’t going to cause a server to deny requests from any IPs. You can’t do that just through CORS configuration.

使用CORS支持对其进行配置时，服务器所做的唯一不同就是发送Access-Control-Allow-Origin响应标头和其他CORS响应标头.就是这样.

The only thing a server does differently when you configure it with CORS support is just to send the Access-Control-Allow-Origin response header and other CORS response headers. That’s it.

跨域限制的实际执行仅由浏览器完成，而不由服务器完成.

Actual enforcement of cross-origin restrictions is done only by browsers, not by servers.

因此，无论您在服务器端进行任何CORS配置，服务器仍然继续接受来自所有客户端的请求，否则将继续起源.换句话说，来自所有来源的所有客户端仍然继续从服务器获取响应，就像他们原本会这样做一样.

So no matter what server-side CORS configuration you make on, the server still goes on accepting requests from all clients and origins it would otherwise; in other words, all clients from all origins still keep on getting responses from the server just as they would otherwise.

但是浏览器仅将跨域请求的响应公开给在特定来源运行的前端JavaScript代码，前提是该请求发送到的服务器选择加入以通过Access-Control-Allow-Origin标头，允许该来源.

But browsers will only expose responses from cross-origin requests to frontend JavaScript code running at a particular origin if the server the request was sent to opts-in to permitting the request by responding with an Access-Control-Allow-Origin header that allows that origin.

这是您使用CORS配置可以做的唯一事情.您不能仅通过执行任何服务器端CORS配置就使服务器仅接受并响应来自特定来源的请求.为此，您需要使用的不仅仅是CORS配置.

That’s the only thing you can do using CORS configuration. You can’t make a server only accept and respond to requests from particular origins just by doing any server-side CORS configuration. To do that, you need to use something other than just CORS configuration.

这篇关于启用了CORS的服务器不拒绝请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！