0

Why can I send request with all URLs to my API project, however inside my Program.cs I set only two specific URLs as allowed origins.

builder.Services.AddCors(options =>
{
  options.AddPolicy(name: "policyName", builder =>
  {
      builder.WithOrigins(

        "http://sitehere.com",
        "http://TheOtherSiteHere.com"

      );
    });
  });



app.UseRouting();
app.UseCors("policyName");

In all of my controllers I have the [EnableCors("policyName")]'s attribute as well.

But in postman, with my local IP address or another computer's ip address which is in the same local network, all requests will be accepted.

In my case, I want to prevent all requests, except "http://sitehere.com" and "http://TheOtherSiteHere.com"

Masoud
  • 65
  • 9
  • it's because Postman does not send 'Origin' header which is used for this purpose. – Meysam Mar 06 '22 at 07:26
  • So what if an illegal person gets our API URL and send request via postman ?! isn't it a security issue then ? @Meysam – Masoud Mar 06 '22 at 07:31
  • it's a Forbidden header name which means can not be modified programmatically. https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name – Meysam Mar 06 '22 at 07:32
  • So you mean the above code is fine ? – Masoud Mar 06 '22 at 07:34
  • 1
    Yes. also check this question out https://stackoverflow.com/questions/36250615/cors-with-postman – Meysam Mar 06 '22 at 07:36

0 Answers0