0

I have .net core api application where I have implemented cors with restricted origins. This is working fine, if I call api from browser and origin is not matched call get blocked but if I call the same api from postman I get the result even if origin header is missing or I add origin header manually.

I need to block any call which is not initiated from my front-end app

James Z
  • 12,209
  • 10
  • 24
  • 44
Amit007
  • 27
  • 5
  • please provide your code with CORS configuration – twinmind May 18 '18 at 17:02
  • 3
    CORS configuration isn’t a means to cause servers to block requests. Instead it’s just a way for servers to tell browsers whether they want browsers to allow frontend JavaScript code to access responses from cross-origin requests. See https://stackoverflow.com/questions/43432743/will-asp-net-core-cors-policy-prevent-resource-access-from-non-browser-requests/43432787#43432787 etc. If you want your server to reject any request not initiated by your front-end app, CORS configuration isn’t the way; you’d need some other mechanism. – sideshowbarker May 19 '18 at 04:57
  • So can this be achieved by some middle layer. Do you have any example? – Amit007 May 21 '18 at 09:28
  • @sideshowbarker would you mind giving an example? – Amthieu Jun 19 '19 at 02:30
  • @Amthieu Search for “asp net ip-based blocking” or such. See https://stackoverflow.com/a/2893252/441757, https://stackoverflow.com/q/16080487/441757, https://stackoverflow.com/a/4605086/441757, etc., and https://www.hanselman.com/blog/AnIPAddressBlockingHttpModuleForASPNETIn9Minutes.aspx, – sideshowbarker Jun 19 '19 at 02:58

0 Answers0