I have been experimenting with making node.js applications that I can then deploy to Heroku lately. Heroku is a great way to host a node.js app up on the web for free, so there is no pressure when it comes to spending money each month just to host some simple hobby, test, or demo app.
Anyway one thing I would like to do is to have some kind of json service where I make a request from a client system on my website, and receive back json data. In order to do this I will need to make http requests across origins. To do this it is important to know a thing or two about CORS (Cross Origin Resource Sharing). to help with this there is the npm package cors.
For this project I made just a single index.js file that makes a simple express app. I am of course using cors as a middleware, and also my own method that I use before CORS to check if the origin header is there or not. If it is not there i assume that means it is not a CORS request, and present something different.
By using app.use it will result in me using cors for all paths in the app, there is only one path in this demo, but if i had many in an app, and only wanted one path to be a cors path I could do something lime this:
When making the main index.js file for this project I ran into some trouble getting cors to work as expected, because cors has a reputation of being a little complex. When checking out issue 71, and also issue 89 It occurred to be that the problem is that req.headers.origin will be undefined when not making a Cross Origin request.
So in other words when req.headers.origin is undefined it should mean that the request was made within the origin of the site, or service. In this case there is no need for cors, and the request can just be handled like a plain old request from within the site.
The best way to work with what I am writing about here might be to just clone down what I have worked out.
Just replace ‘dp83-cors’ with a different app name if I still have this demo live.
looks like cors is a great way to restrict access for cross orion requests, it is a way in which I can make it so I have a white list of origin names, and the request will only be honored if the request is coming from my domain.