CORS-enabled server not denying requests

I am trying to use express Cors with my resitfy server and it doesn't seem to be denying requests coming from other ips. I am working locally so I tried setting origin to a random public ip but all of my requests are still going through

Here is my route:

module.exports = function(app) {
    var user = require('./controllers/userController');
    var cors = require('cors');
    var corsOptions = require('./cors.json');


    app.post('/auth/signup', cors(corsOptions),user.createUser);
    app.post('/auth/login', cors(corsOptions), user.validateUser);
    app.post('/auth/generateKeys', cors(corsOptions), user.generateKeys);
    app.post('/auth/generateToken', user.generateToken);
};

and here is my cors.json file where I have set a random ip:

{
    "origin": "http://172.16.12.123",
    "optionsSuccessStatus": 200,
}

With cors set on the route I can see the following in postman but the request is still going through? I would expect an access denied response.

Access-Control-Allow-Origin →http://172.16.12.123


Solution 1:

CORS configuration on its own isn’t going to cause a server to deny requests. You can’t cause server-side blocking of requests just through CORS configuration.

The only thing a server does differently when you configure it with CORS support is just to send the Access-Control-Allow-Origin response header and other CORS response headers. That’s it.

Actual enforcement of cross-origin restrictions is done only by browsers, not by servers.

So no matter what server-side CORS configuration you make to a server, the server still goes on accepting requests from all clients and origins it would otherwise; in other words, all clients from all origins still keep on getting responses from the server just as they would otherwise.

But browsers will only expose responses from cross-origin requests to frontend JavaScript code running at a particular origin if the server the request was sent to opts-in to permitting the request by responding with an Access-Control-Allow-Origin header that allows that origin.

That’s the only thing you can do using CORS configuration. You can’t make a server only accept and respond to requests from particular origins just by doing any server-side CORS configuration. To do that, you need to use something other than just CORS configuration.

Solution 2:

CORS does not prevent anyone from sending GET or POST requests to your application or exposed API URL.

Instead, it indicates to the web browser that AJAX requests are allowed to this server, from the domain they are executed.

But only AJAX requests executed from a domain are CORS-controlled. Entering the URL in the web browser will not activate CORS: it is not a firewall.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

The order of event is:

  1. Domain A executes AJAX on User's browser to request API URL on Domain B

  2. User's browser sends a basic primary request to target Domain B and checks if CORS are allowed for Domain A

  3. If allowed, AJAX request is executed otherwise null is returned