-1

I have an express server that allows the front end to get information from the database it works fine. Cors is set up with the front end whitelisted but, trying to get an image (that has already been uploaded and saved) comes back with nothing except a 500 error. I tried disabling cors and it worked fine but any origin can do things which is not what I wanted for this website. Im using apache with the proxy and proxy_http mod enabled so it can access the express js server running on pm2. code on server js:

const whiteList=['domain.com'];
const corsOptions = {
  origin:function(origin, callback){
    if(whiteList.indexOf(origin) !== -1){
      callback(null, true);
    } else{
      callback(new Error('Not allowed by CORS'));
    }
  }
}
app.use(cors(corsOptions));

I have even tried setting up cors headers in apache but it doesn't work as it still lets in origins not listes.

SEVO
  • 31
  • 1
  • 7
  • `domain.com` is not an [_origin_](https://developer.mozilla.org/en-US/docs/Glossary/Origin); it should be prefixed by `http://` or `https://` to be considered an origin. Also, how is your `origin` variable declared? Is it even declared anywhere? – jub0bs Nov 23 '21 at 10:56
  • bro, I only called it domain.com so I didn't publicly display the actual whitelisting info. Like I said it works fine until I need to serve static files from the server. – SEVO Nov 23 '21 at 13:56
  • You lost me at "bro". – jub0bs Nov 23 '21 at 14:01

1 Answers1

-1

So I was able to fix this by doing this instead:

app.use(cors({origin: "https://example.com", allowedHeaders: ["Authorization", "Content-Type"]}));

The issue that actually found was that the server was not sending back all the cors headers including: Access-Control-Allow-Headers which was stuffing up everything.

It seems to be possibly a bug with cors package with having it's parameters in their own object managed to mess up what the server returned so for now its going to have to look a little bit ugly.

I did even followed what the cors documentation said but, that lead to even more problems weirdly.

SEVO
  • 31
  • 1
  • 7
  • I do think that there might be some conflicting code with cors and helmet maybe as helmet configures what headers are sent back so, that is what might of happened. – SEVO Nov 26 '21 at 07:42