I want to allow requests only to be made to my server from the same domain. However, when I deploy my server without any cors enabled, I can successfully make requests to my server from programs like Postman or REST Client extension for VSCode, which I want to block.
Using the "cors" npm package, it's been indicated when configuring a whitelist that "origin" is undefined when requests are coming from the same server, and so you should approve requests in this case.
const whitelist = []
const corsOptions = {
origin: function (origin, callback) {r
if(!origin || whitelist.indexOf(origin) !== -1) {
callback(null, true)
} else {
callback(new Error('Not allowed by CORS'))
}
}
}
However - when I simulate malicious requests to my deployed server with a local program, "origin" is also logged as undefined and the requests are allowed through. How can I block these?
