18

Fairly new to Node and Express. I have a sails.js app that relies on knowing the origin of a request as I need to authenticate the request is coming from a domain that is registered.

I've seen in the logs that the origin is empty occasionally, why would this be happening? Is it not a good idea to rely on the origin property, is there another option?

Thanks

Travis Webb
  • 14,688
  • 7
  • 55
  • 109
Giles Butler
  • 971
  • 3
  • 14
  • 23

4 Answers4

28

The origin may be hidden if the user comes from an ssl encrypted website.

Also: Some browser extensions remove origin and referer from the http-request headers, and therefore the origin property will be empty.

You might want to create some sort of authentication token and pass it as a parameter, instead on relying on request headers. Especially since the headers can be faked/manipulated.

Peanut
  • 3,753
  • 3
  • 31
  • 45
  • Brilliant, thanks @peanut. That makes a lot of sense now. I have authentication tokens already but it's easy for someone to find it as my service uses a piece of JS that anyone can install on their own site so the origin was another part of the security check. What would be a better way round this? Is there still no way to reliably get the origin? – Giles Butler Apr 09 '15 at 07:08
  • 2
    Generate the tokens on the server side. Use something only your server can generate (i.e. based on a password, or something similar, so one server can generate it and the other can validate it). This is a bit too complicated to explain in a single comment tough. There are a lot of tutorials and papers about this topic though. – Peanut Apr 09 '15 at 07:20
  • 2
    @Peanut out of curiosity how are headers anymore vulnerable to being faked/manipulated than params? – babycakes Apr 11 '17 at 20:14
  • 2
    @babycakes they're not; both can be faked, although for CSRF purposes the header can't be tampered with as it's generated by the browser not an attacker's page. Also it's `referer` that is stripped in https, not `origin`. It depends on your [referrer-policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy). – RJFalconer May 30 '18 at 10:03
3

Try with this:

app.use(function(req, res, next) {
  res.header("Access-Control-Allow-Origin", req.header('origin'));
  res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
  res.header("Access-Control-Allow-Credentials","true");
  next();
});
josebetomex
  • 419
  • 4
  • 9
3

If you want to get the url from which your client is requesting then use

req.headers.referer can help you out. for example I want am calling an abcd.com API from xyz.com then at abcd.com the referer will print xyz.com as it is the url from which you are requesting.

Himanshu Singh Chauhan
  • 355
  • 1
  • 12
  • this is a brilliant answer, should be accepted answer too. Additionally we can also use user agent to get some extra details "req.get('User-Agent')". – Grijan Jul 07 '22 at 10:07
-1

Try this

var host = req.headers.host;

OR

var host = req.get('host');
Abdul Basit
  • 953
  • 13
  • 14
  • 4
    this is wrong. `req.get('host')` will return server domain or ip but not referer e.g. where the user redirect or requested from. – Krishna Torque Jan 01 '21 at 17:05
  • @KrishnaTorque yes you right, but in previous node version you may access host this way but in newer version `var host = req.headers.host;` is the right way – Abdul Basit Jan 02 '21 at 16:00
  • 3
    @AbdulBasit `host` an `origin` both are for different things. `origin` signifies the address from the request was originated and `host` signifies to which address/uri the request was made to – Utkarsh Dixit Aug 31 '21 at 10:51