CORS with POSTMAN

Question

This subject has been asked a couple of time  but I still don t understand something   When I read answers about      No  Access-Control-Allow-Origin  header   issue  it says a setting should be set on the requested server in order to allow cross domain  add header  Access-Control-Allow-Origin         But  please tell me why when asking from postman  which is a client   It s working like a charm and I have a response from the requested server   Thank you

User · Answer

Use the browser chrome postman plugin to check the CORS SOP like a website  Use desktop application instead to avoid these controls

User · Answer

While all of the answers here are a really good explanation of what cors is but the direct answer to your question would be because of the following differences postman and browser   Browser  Sends OPTIONS call to check the server type and getting the headers before sending any new request to the API endpoint  Where it checks for Access-Control-Allow-Origin  Taking this into account Access-Control-Allow-Origin header just specifies which all CROSS ORIGINS are allowed  although by default browser will only allow the same origin    Postman  Sends direct GET  POST  PUT  DELETE etc  request without checking what type of server is and getting the header Access-Control-Allow-Origin by using OPTIONS call to the server

User · Answer

If you use a website and you fill out a form to submit information  your social security number for example  you want to be sure that the information is being sent to the site you think it s being sent to   So browsers were built to say  by default   Do not send information to a domain other than the domain being visited    Eventually that became too limiting but the default idea still remains in browsers   Don t let the web page send information to a different domain   But this is all browser checking   Chrome and firefox  etc have built in code that says  before send this request  we re going to check that the destination matches the page being visited      Postman  or CURL on the cmd line  doesn t have those built in checks   You re manually interacting with a site so you have full control over what you re sending

User · Answer

As  Musa comments it  it seems that the reason is that   Postman doesn t care about SOP  it s a dev tool not a browser  By the way here s a chrome extension in order to make it work on your browser  this one is for chrome  but you can find either for FF or Safari   Check here if you want to learn more about Cross-Origin and why it s working for extensions

User · Answer

CORS  Cross-Origin Resource Sharing  and SOP  Same-Origin Policy  are server-side configurations that clients decide to enforce or not     Related to clients     Most Browsers do enforce it to prevent issues related to CSRF attack  Most Development tools don t care about it

User · Answer

Generally  Postman used for debugging and used in the development phase  But in case you want to block it even from postman try this       const referrer domain     enter-the-domain-name-of-the-referrer         check for the referrer domain     app all       function req  res  next          if req headers referer indexOf referrer domain     -1           res send  Invalid Request                  next

[http] CORS with POSTMAN

Examples related to http

Examples related to cors

Examples related to postman