Skip to main content

CORS Tutorial in Depth | Complete Guide

Image
By ITN
CORS Tutorial in Depth | Complete Guide
In this article, I will cover CORS Tutorial in Depth by considering various examples. You will learn how to resolve the various errors that you usually get in the browser. CORS stands for Cross-Origin Resource Sharing. 

It is a feature that relaxes the security of your Website or API. By Default, the same-origin policy applies in all the browsers so you call from origin back to your web server. CORS allows certain origins that are allowed to access the API so if you have got certain subdomains or a particular 3rd party website then you can allow just those rather than everyone.

It does this by returning the header in the response header. If you try to access this from the command line then you will be able to do so because it is just a browser security feature. You can Play around with cors in Test Cors or use the below node code. 

res.setHeader('Access-Control-Allow-Origin', <Origin>);
res.setHeader('Access-Control-Allow-Methods', <Method>);
res.setHeader('Access-Control-Allow-Headers', <Headers>);
res.setHeader('Access-Control-Allow-Credentials', <Boolean Credentials>);
Consider we have two different origins and they want to share resources. Before the actual API call, a Preflight(OPTIONS) call will be made at the server so that server can verify if the current request is allowed or not. If the current request is allowed then in response It set an additional HTTP header along with the request and send back to the client browser. Once the browser receives then actual API call is made. If the verification fails then it block and throw error.

Let’s Consider Different Scenario of CORS Error

Allowed only Particular Origin

If a client tries to access from another origin that is not mentioned in ‘Access-Control-Allow-Origin’ then you will get a cors error. In Below Example only allowed origin is ‘abc.com’. 

const express                   = require('express');
const bodyParser                = require('body-parser');
const cors                      = require('cors');

let app     = express();
app.use(function (req, res, next) {
  res.setHeader('Access-Control-Allow-Origin', 'https://abc.com');
  next();
});

app.use(bodyParser.urlencoded({limit: '50mb', extended: true}));
app.use(bodyParser.json({limit: '50mb'}));
app.get('/ping',(req,res)=>res.send("OK"));
app.listen(3000);

If we try to access from another origin then we will get a cors error(Access to fetch at 'http://localhost:3000/ping' from origin 'https://infotipsnews.com' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header has a value 'https://infotipsnewsi.com' that is not equal to the supplied origin. Have the server send the header with a valid value, or, if an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.) If you want to allow all origin then you can pass * to allow all domain and subdomain.
When We try to access API from infotipsnews.com and in the below code if we mention allowed origin as infotipsnews.com then you will not get Cors Error.

  
const express                   = require('express');
const bodyParser                = require('body-parser');
const cors                      = require('cors');

let app     = express();
app.use(function (req, res, next) {
  res.setHeader('Access-Control-Allow-Origin', 'https://infotipsnews.com');
  next();
});

app.use(bodyParser.urlencoded({limit: '50mb', extended: true}));
app.use(bodyParser.json({limit: '50mb'}));
app.get('/ping',(req,res)=>res.send("OK"));
app.listen(3000);

Allowed only Particular Method

If the Client tries to access another method that is not mentioned in the “Access-Control-Allow-Methods” then you will get an error. By Default It will not give errors in GET and POST. Below example, I have created a PUT API and have not mentioned methods in “Access-Control-Allow-Methods”. If we try to hit ping API then we will get an Error. 

const express                   = require('express');
const bodyParser                = require('body-parser');
const cors                      = require('cors');

let app     = express();
app.use(function (req, res, next) {
  res.setHeader('Access-Control-Allow-Origin', 'https://infotipsnews.com');
  res.setHeader('Access-Control-Allow-Methods', 'GET,HEAD,POST');
  next();
});

app.use(bodyParser.urlencoded({limit: '50mb', extended: true}));
app.use(bodyParser.json({limit: '50mb'}));
app.delete('/ping',(req,res)=>res.send("OK"));
app.listen(3000);

Conclusion 

In order to resolve the error, your domain and methods need to be allowed from the server domain. If you are facing any issues then please let us know in the comment section. 

Hope You Like our “CORS Tutorial in Depth” article. Please subscribe to our blog for the latest upcoming blogs on emails.
Labels:

Comments

Post a Comment

Popular posts from this blog

Docker Compose file vs Dockerfile - Differences - Explained

By ITN
The Dockerfile is used to build a custom image and does not directly generate a container. It’s just that you can run the container while running the image. The container orchestration to deploy the environment is done using the docker-compose.yml file, which may require a Dockerfile.
Post a Comment
Read more

Netflix Premium Cookies 2024 - Netflix free Premium Cookies

By ITN
As streaming services continue to dominate our entertainment landscape, Netflix still remains a top streaming service. But Netflix is not free. But what if I told you there’s a free way to access Netflix’s premium content without paying any money. 
Post a Comment
Read more

Blogger Landing Page Template - Free Landing Page Templates

By ITN
If you are looking for free Blogger (Blogspot) landing page templates, then you have come to the right place. There are a lot of available templates in WordPress with landing pages, but there is a scarcity of Blogger landing page templates. 
Post a Comment
Read more