i'm building rest API, with CORS enabled. Since API have to be accessed form known domains, i have to check if origin of request is in "White listed" domains.
But i have to be 100% sure, that origin of request is really origin, not some modified header.
I found this link: https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name
About forbidden header names, so i'm asking is this information is OK, nobody can change header origin?
I'm accessing request in Java like this:
(HttpServletRequest) request.getHeader("origin")
Is this how i do it?
Spring has excellent out-of-box support to handle cross origin request(s) which can be used via xml or java configuration.
Also the configuration can be either global ( via CorsRegistry
) or controller specific ( @CrossOrigin
) for granular control
Have a look here and here which has good details on how to get started and how it works.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.