CORS with POSTMAN

Question

This subject has been asked a couple of time, but I still don't understand something:

When I read answers about

No 'Access-Control-Allow-Origin' header

issue, it says a setting should be set on the requested server in order to allow cross domain: add_header 'Access-Control-Allow-Origin' '*';.

But, please tell me why when asking from postman (which is a client), It's working like a charm and I have a response from the requested server?

Thank you

Postman doesn't care about SOP, it a dev tool not a browser. — Musa, Mar 27 '16 at 17:54
@Musa Ok, so if it's a browser (client) issue, why should I have to modify something on the server? — IsraGab, Mar 27 '16 at 17:55
Its the server that tells the browser that its okay([CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS)) or not for a given site to access its content and the browser honours it — Musa, Mar 27 '16 at 18:10
The real question here is how to configure POSTMAN to mimic the browser behavior where an ORIGIN request is sent first. In essence how to you make POSTMAN behave like a browser because we need to test to make sure our APIs are configure correctly. So what if the API works from POSTMAN and it breaks due to CORS from the browser. It means the API is useless. — Chris Love, Mar 20 '20 at 18:44

score 126 · Answer 1 · edited Nov 08 '19 at 04:21

126

CORS (Cross-Origin Resource Sharing) and SOP (Same-Origin Policy) are server-side configurations that clients decide to enforce or not.

Related to clients

Most Browsers do enforce it to prevent issues related to CSRF attack.
Most Development tools don't care about it.

edited Nov 08 '19 at 04:21

Ahmed Nabil

17,392
11
61
88

answered Aug 18 '17 at 20:19

Felipe Roos

1,369
1
8
3

3

CORS does not prevent CSRF attacks, but CSRF tokens do – winklerrr Aug 03 '21 at 11:57

IsraGab · Accepted Answer · 2020-09-30T21:00:01.303

75

As @Musa comments it, it seems that the reason is that:

Postman doesn't care about SOP, it's a dev tool not a browser

By the way here's a chrome extension in order to make it work on your browser (this one is for chrome, but you can find either for FF or Safari).

Check here if you want to learn more about Cross-Origin and why it's working for extensions.

edited Sep 30 '20 at 21:00

answered Apr 07 '16 at 20:07

IsraGab

4,819
3
27
46

22

Then how do I protect my API routes being accessed from tools like Postman? For example, an API which requires a captcha verification. But if directly accessed from Postman, the captcha verification is bypassed – Sadman Muhib Samyo Jan 01 '20 at 06:19
The same question, besides this, how can an extension makes breaking the single origin policy? – Iván Cortés Apr 28 '20 at 05:06
8

Sadman Muhib Samyo, CORS is not there to protect the server. It is there to protect the client from cookie stealing and other client side attacks. – Satyan Raina Feb 07 '22 at 19:28
@SatyanRaina then, why do we allow all origins from the server? How can a configuration in the server, affect client-side protection? – Rationalist Jul 03 '23 at 02:13

score 68 · Answer 3 · answered Nov 05 '17 at 19:05

If you use a website and you fill out a form to submit information (your social security number for example) you want to be sure that the information is being sent to the site you think it's being sent to. So browsers were built to say, by default, 'Do not send information to a domain other than the domain being visited).

Eventually that became too limiting but the default idea still remains in browsers. Don't let the web page send information to a different domain. But this is all browser checking. Chrome and firefox, etc have built in code that says 'before send this request, we're going to check that the destination matches the page being visited'.

Postman (or CURL on the cmd line) doesn't have those built in checks. You're manually interacting with a site so you have full control over what you're sending.

More accurately postman does not send a XmlHttp Request that would get checked but a top level network call (like your opening the URL on a new browser tab) so it does not get kicked in even when in extention — tgkprog, Apr 02 '18 at 21:56
The browser are not checking that your site isn't sending data to another domain : if the other domain site is allowing all origins, your browser is 100% ok with that. It's the opposite, it's protecting the other domain, in case your site would use its resources without being authorized. — XouDo, Aug 25 '20 at 09:44

score 35 · Answer 4 · answered Nov 08 '19 at 04:31

While all of the answers here are a really good explanation of what cors is but the direct answer to your question would be because of the following differences postman and browser.

Browser: Sends OPTIONS call to check the server type and getting the headers before sending any new request to the API endpoint. Where it checks for Access-Control-Allow-Origin. Taking this into account Access-Control-Allow-Origin header just specifies which all CROSS ORIGINS are allowed, although by default browser will only allow the same origin.

Postman: Sends direct GET, POST, PUT, DELETE etc. request without checking what type of server is and getting the header Access-Control-Allow-Origin by using OPTIONS call to the server.

"Sends OPTIONS call to check the server type and getting the headers before sending any new request to the API endpoint" — That isn't true. It only does that for non-simple requests. — Quentin, Sep 30 '20 at 21:04

score 3 · Answer 5 · answered Apr 08 '20 at 07:23

3

Generally, Postman used for debugging and used in the development phase. But in case you want to block it even from postman try this.

    const referrer_domain = "[enter-the-domain-name-of-the-referrer]"
    //check for the referrer domain
    app.all('/*', function(req, res, next) {
      if(req.headers.referer.indexOf(referrer_domain) == -1){
        res.send('Invalid Request')
      }

      next();
    });

answered Apr 08 '20 at 07:23

Bharath Pabba

1,725
5
16
24

add the code in your file with the router. If you have a file with "routers", add the code at the top of the file. The same file where you have: const express = require('express') const app = express(); const cors = require('cors'); – samceena May 15 '20 at 13:58
edit it in `app.js` if you use `node app.js` to run the server. – Bharath Pabba May 15 '20 at 14:26
can that protect your server from ddos? – SuperUberDuper Aug 27 '20 at 20:58

score -4 · Answer 6 · answered Aug 09 '20 at 16:10

-4

Use the browser/chrome postman plugin to check the CORS/SOP like a website. Use desktop application instead to avoid these controls.

answered Aug 09 '20 at 16:10

Guillermo Ellison

136
3

CORS with POSTMAN

6 Answers6

Linked

Related