125

I'm using express.js and I need to know the domain which is originating the call. This is the simple code

app.get(
    '/verify_license_key.json',
    function( req, res ) {
        // do something

How do I get the domain from the req or the res object? I mean I need to know if the API was called by somesite.example or someothersite.example. I tried doing a console.dir of both req and res but I got no idea from there, also read the documentation but it gave me no help.

Stephen Ostermiller
  • 23,933
  • 14
  • 88
  • 109
Nicola Peluchetti
  • 76,206
  • 31
  • 145
  • 192
  • 1
    try: `req.host` or `req.get('host')` [expresses docs](http://expressjs.com/api.html#req.host) – dc5 Aug 28 '13 at 21:45
  • 3
    node.js: `req.headers["x-forwarded-for"] || req.connection.remoteAddress` [x-forwarded-for](http://en.wikipedia.org/wiki/X-Forwarded-For) would cover your bases behind a proxy, load balancer... – Eat at Joes May 16 '14 at 19:13
  • I get this warning: express deprecated req.host: Use req.hostname instead index.js:20:8 – Adam Fowler Mar 08 '15 at 03:15
  • *"I need to know if the API was called by somesite.example"*. Note that the domain *example.com* is reserved specifically for use in examples: https://www.iana.org/domains/reserved – Stijn de Witt Jul 01 '22 at 07:45

5 Answers5

209

You have to retrieve it from the HOST header.

var host = req.get('host');

It is optional with HTTP 1.0, but required by 1.1. And, the app can always impose a requirement of its own.

If this is for supporting cross-origin requests, you would instead use the Origin header.

var origin = req.get('origin');

Note that some cross-origin requests require validation through a "preflight" request:

req.options('/route', function (req, res) {
    var origin = req.get('origin');
    // ...
});

If you're looking for the client's IP, you can retrieve that with:

var userIP = req.socket.remoteAddress;

Note that, if your server is behind a proxy, this will likely give you the proxy's IP. Whether you can get the user's IP depends on what info the proxy passes along. But, it'll typically be in the headers as well.

Community
  • 1
  • 1
Jonathan Lonowski
  • 121,453
  • 34
  • 200
  • 199
  • 1
    But doesn't this give me the host of the api?It might be caused by the fact that i'm doing this locally and i have api.time.ly set to resolve to 127.0.0.1 and the call i'm making is from localhost ,but if i use that, host is "api.time.ly" i need to know the domain which is calling me. i will test this on a live site. – Nicola Peluchetti Aug 28 '13 at 21:54
  • 1
    @NicolaPeluchetti I guess I don't understand what you mean by "*the domain which is calling me*." HTTP clients don't typically supply their own hostname in the request. Is this for [CORS](http://en.wikipedia.org/wiki/Cross-origin_resource_sharing)? – Jonathan Lonowski Aug 28 '13 at 22:07
  • I've got a central api which is located at api.time.ly. This api is called by different client websites which install our wordpress plugin. So we could have http://church1.com and http://sauna1.com make calls to our api. In the API would i be able to get if the call was made from http://church1.com or from http://sauna1.com? i saw a header `'user-agent': 'WordPress/3.6; http://localhost/wordpress_clean'` should i parse that? – Nicola Peluchetti Aug 28 '13 at 22:31
  • If Domain is not passed, it's not a problem, i can add it to the API call obviously. – Nicola Peluchetti Aug 28 '13 at 22:38
  • @NicolaPeluchetti You can try splitting and [parsing](http://nodejs.org/api/url.html#url_url_parse_urlstr_parsequerystring_slashesdenotehost) the user-agent or requiring it as data in the request. But, I'd say something like [OAuth](https://en.wikipedia.org/wiki/OAuth) would be better suited for identifying clients. – Jonathan Lonowski Aug 28 '13 at 22:45
  • Hi, probably passing the parameter in the call is the best option, i just need to know the domain to perform some checks to see if the same licence is used on more than one site. I'll mark this as the answer. – Nicola Peluchetti Aug 28 '13 at 22:59
  • It doesn't work for domains such as mydomain.ninja – gdorbes Dec 09 '22 at 10:15
54

Instead of:

var host = req.get('host');
var origin = req.get('origin');

you can also use:

var host = req.headers.host;
var origin = req.headers.origin;
Michiel
  • 4,160
  • 3
  • 30
  • 42
18

In Express 4.x you can use req.hostname, which returns the domain name, without port. i.e.:

// Host: "example.com:3000"
req.hostname
// => "example.com"

See: http://expressjs.com/en/4x/api.html#req.hostname

Jake
  • 143
  • 2
  • 8
DiegoRBaquero
  • 1,208
  • 10
  • 14
  • 20
    This returns hostname of the server you are receiving request on. It **will work only if** you are running your API and website on the same server and originating and receiving party is the same host. – Paul T. Rawkeen Jul 04 '19 at 08:14
  • 1
    this returns the hostname of the server that is hosting the code, not the originating..... – Pencilcheck Sep 21 '22 at 02:14
  • "Contains the hostname derived from the Host HTTP header", and " The Host request header specifies the host and port number of the server to which the request is being sent"... So this is not the origin... – Luis May 15 '23 at 22:02
4

req.get('host') is now deprecated, using it will give Undefined.

Use,

    req.header('Origin');
    req.header('Host');
    // this method can be used to access other request headers like, 'Referer', 'User-Agent' etc.
ChrisF
  • 134,786
  • 31
  • 255
  • 325
molagbal
  • 323
  • 3
  • 11
2

Year 2022, I use express v4.17.1 get following result

var host = req.get('host'); // works, localhost:3000

var host = req.headers.host; // works, localhost:3000

var host = req.hostname; // works, localhost

var origin = req.get('origin'); // not work, undefined

var origin = req.headers.origin; // not work, undefined

enter image description here

hoogw
  • 4,982
  • 1
  • 37
  • 33
  • var host = req.get('host'); // works, localhost:3003 // server host, no origin (3000)... – Luis May 15 '23 at 21:32