启用了CORS的服务器不拒绝请求 [英] CORS-enabled server not denying requests
问题描述
我正尝试在我的resitfy服务器上使用express Cors 拒绝来自其他IP的请求.我在本地工作,所以我尝试将来源设置为随机的公共IP,但我的所有请求仍在处理中
I am trying to use express Cors with my resitfy server and it doesn't seem to be denying requests coming from other ips. I am working locally so I tried setting origin to a random public ip but all of my requests are still going through
这是我的路线:
module.exports = function(app) {
var user = require('./controllers/userController');
var cors = require('cors');
var corsOptions = require('./cors.json');
app.post('/auth/signup', cors(corsOptions),user.createUser);
app.post('/auth/login', cors(corsOptions), user.validateUser);
app.post('/auth/generateKeys', cors(corsOptions), user.generateKeys);
app.post('/auth/generateToken', user.generateToken);
};
这是我的cors.json文件,在其中我设置了一个随机IP:
and here is my cors.json file where I have set a random ip:
{
"origin": "http://172.16.12.123",
"optionsSuccessStatus": 200,
}
在路线上设置了cors后,我可以在邮递员中看到以下内容,但请求仍在处理中?我希望访问被拒绝.
With cors set on the route I can see the following in postman but the request is still going through? I would expect an access denied response.
Access-Control-Allow-Origin→ http://172.16.12.123
推荐答案
CORS本身不会导致服务器拒绝来自任何IP的请求.您不能仅通过CORS配置来做到这一点.
CORS configuration on its own isn’t going to cause a server to deny requests from any IPs. You can’t do that just through CORS configuration.
使用CORS支持对其进行配置时,服务器所做的唯一不同就是发送Access-Control-Allow-Origin
响应标头和其他CORS响应标头.就是这样.
The only thing a server does differently when you configure it with CORS support is just to send the Access-Control-Allow-Origin
response header and other CORS response headers. That’s it.
跨域限制的实际执行仅由浏览器完成,而不由服务器完成.
Actual enforcement of cross-origin restrictions is done only by browsers, not by servers.
因此,无论您在服务器端进行任何CORS配置,服务器仍然继续接受来自所有客户端的请求,否则将继续起源.换句话说,来自所有来源的所有客户端仍然继续从服务器获取响应,就像他们原本会这样做一样.
So no matter what server-side CORS configuration you make on, the server still goes on accepting requests from all clients and origins it would otherwise; in other words, all clients from all origins still keep on getting responses from the server just as they would otherwise.
但是浏览器仅将跨域请求的响应公开给在特定来源运行的前端JavaScript代码,前提是该请求发送到的服务器选择加入以通过Access-Control-Allow-Origin
标头,允许该来源.
But browsers will only expose responses from cross-origin requests to frontend JavaScript code running at a particular origin if the server the request was sent to opts-in to permitting the request by responding with an Access-Control-Allow-Origin
header that allows that origin.
这是您使用CORS配置可以做的唯一事情.您不能仅通过执行任何服务器端CORS配置就使服务器仅接受并响应来自特定来源的请求.为此,您需要使用的不仅仅是CORS配置.
That’s the only thing you can do using CORS configuration. You can’t make a server only accept and respond to requests from particular origins just by doing any server-side CORS configuration. To do that, you need to use something other than just CORS configuration.
这篇关于启用了CORS的服务器不拒绝请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!