true that, but then again the example is also (at best) incomplete.
A server does not declare an origin, a browser will do that (also complete with scheme, as an URL). At best, origin check against a server side will reveal the IP and that's about it.
The server-side request will not provide a scheme as origin.
On a more general note, hardcoding anything like this in the application will obviously limit the portability of an API (if you later deploy your frontend on a different URL and you hardcode scheme and domain, you'll need to redeploy your API with an updated check, or at least introduce a runtime config option).
More sensibly would be to delegate this responsibility to a load balancer.
True. But I have hardcoded in the post just to give an example, in my app it's not hardcoded but in a config.json called "base_url" which can be changed from the UI.
I think both the example I have given and CORS would be good, because it's never too much for security 😀
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
If I'm not wrong, CORS only protects the browser from being accessed from other browsers but not from servers.
true that, but then again the example is also (at best) incomplete.
A server does not declare an origin, a browser will do that (also complete with scheme, as an URL). At best, origin check against a server side will reveal the IP and that's about it.
The server-side request will not provide a scheme as origin.
On a more general note, hardcoding anything like this in the application will obviously limit the portability of an API (if you later deploy your frontend on a different URL and you hardcode scheme and domain, you'll need to redeploy your API with an updated check, or at least introduce a runtime config option).
More sensibly would be to delegate this responsibility to a load balancer.
True. But I have hardcoded in the post just to give an example, in my app it's not hardcoded but in a config.json called "base_url" which can be changed from the UI.
I think both the example I have given and CORS would be good, because it's never too much for security 😀