I'm creating an Api with Nodejs , where I set up the application header for Cross-Origin Resource Sharing to work properly.
app.use(function (req, res, next) {
res.header("Access-Control-Allow-Origin", "http://localhost:3000");
res.header("Access-Control-Allow-Headers", "Content-Type");
res.header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
res.header('Access-Control-Allow-Credentials', true);
next();
});
Where in the code I restrict access only to localhost: 3000 can access the resources. res.header("Access-Control-Allow-Origin", "http://localhost:3000");
But even leaving only restricted access to one application, I can access the features of this Api from any Domain.
What is the problem with Access-Control-Allow-Origin that does not work?