true that, but then again the example is also (at best) incomplete.
A server does not declare an origin, a browser will do that (also complete with scheme, as an URL). At best, origin check against a server side will reveal the IP and that's about it.
The server-side request will not provide a scheme as origin.
On a more general note, hardcoding anything like this in the application will obviously limit the portability of an API (if you later deploy your frontend on a different URL and you hardcode scheme and domain, you'll need to redeploy your API with an updated check, or at least introduce a runtime config option).
More sensibly would be to delegate this responsibility to a load balancer.
True. But I have hardcoded in the post just to give an example, in my app it's not hardcoded but in a config.json called "base_url" which can be changed from the UI.
I think both the example I have given and CORS would be good, because it's never too much for security 😀
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
true that, but then again the example is also (at best) incomplete.
A server does not declare an origin, a browser will do that (also complete with scheme, as an URL). At best, origin check against a server side will reveal the IP and that's about it.
The server-side request will not provide a scheme as origin.
On a more general note, hardcoding anything like this in the application will obviously limit the portability of an API (if you later deploy your frontend on a different URL and you hardcode scheme and domain, you'll need to redeploy your API with an updated check, or at least introduce a runtime config option).
More sensibly would be to delegate this responsibility to a load balancer.
True. But I have hardcoded in the post just to give an example, in my app it's not hardcoded but in a config.json called "base_url" which can be changed from the UI.
I think both the example I have given and CORS would be good, because it's never too much for security 😀