Why doesn’t CORS block Postman and derivatives?

Asked

Viewed 752 times

10

I am creating a Restful API with Nodejs and express and in it, I am using Cors to "control" requests.

In the browser works, if I make a request to this API by the console of the site here of Stackoverflow, I can not use, it is blocked, if I go in my domain in which I released access in this way: 

app.get('/product/:id', cors({ origin: "https://www.meusite.com.br" })

I succeed when using the API.

However, the question is, if I go from anywhere using Postman, Insomnia or derivatives, I can take advantage of any API feature.

Why does this happen?

api restful cors

1 answer

9


Because CORS is a security implementation in browser engines, and as such validates requests cross-Domain.

Other tools like the POSTMAN are not running in the context of browsing and therefore, if you do not implement CORS, you can run any request no problem.

If there is any restriction on the server side that does any validation, the request can miss the sponse, but the request works well, after all are applications that are not restricting the requests

  • I get it... Is there anything similar to "Cors" for any request from anywhere? Or would you have to validate it manually?

  • are you saying the server validation? if this is the link helps a lot: https://enable-cors.org/server.html

Browser other questions tagged api restful cors

You are not signed in. Login or sign up in order to post.