Javascript Express.js中条件CORS访问控制允许来源_Javascript_Node.js_Express

Javascript Express.js中条件CORS访问控制允许来源

javascript node.js express

Javascript Express.js中条件CORS访问控制允许来源,javascript,node.js,express,Javascript,Node.js,Express,这是一个关于采取什么策略和解决我对自己想法的怀疑的问题我想要的是允许CORS请求，即访问控制允许源站依赖于我拥有的环境类型。这是我的cors标题： app.use((req, res, next) => { res.setHeader('Access-Control-Allow-Origin', 'https://siteone.com'); res.setHeader('Access-Control-Allow-Credentials', 'true'); res.setH

这是一个关于采取什么策略和解决我对自己想法的怀疑的问题

我想要的是允许CORS请求，即访问控制允许源站依赖于我拥有的环境类型。这是我的cors标题：

app.use((req, res, next) => {
  res.setHeader('Access-Control-Allow-Origin', 'https://siteone.com');
  res.setHeader('Access-Control-Allow-Credentials', 'true');
  res.setHeader('Access-Control-Allow-Methods', 'GET,HEAD,OPTIONS,POST,PUT,DELETE');
  res.setHeader('Access-Control-Allow-Headers', 'Access-Control-Allow-Headers, Origin,Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, Authorization, access-control-allow-origin');
  next();
});

但我想要的是这样的条件逻辑：

const ACAOSite = process.env.NODE_ENV == 'production' ? 'https://siteone.com' : 'https://sitetwo.com';

app.use((req, res, next) => {
  res.setHeader('Access-Control-Allow-Origin', ACAOSite);
  res.setHeader('Access-Control-Allow-Credentials', 'true');
  res.setHeader('Access-Control-Allow-Methods', 'GET,HEAD,OPTIONS,POST,PUT,DELETE');
  res.setHeader('Access-Control-Allow-Headers', 'Access-Control-Allow-Headers, Origin,Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, Authorization, access-control-allow-origin');
  next();
});

app.use((req, res, next) => {
  res.setHeader('Access-Control-Allow-Origin', process.env.allowed_origins);
  res.setHeader('Access-Control-Allow-Credentials', 'true');
  res.setHeader('Access-Control-Allow-Methods', 'GET,HEAD,OPTIONS,POST,PUT,DELETE');
  res.setHeader('Access-Control-Allow-Headers', 'Access-Control-Allow-Headers, Origin,Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, Authorization, access-control-allow-origin');
  next();
});

但这是一种好的做法吗？还有别的办法吗？另外，我不想允许每个站点都使用*，我想选择我想允许的站点

使用或配置文件来设置允许的来源

与从.env（使用）或可在服务器上修改的配置文件读取的测试/生产数据库凭据的配置相同

例如，如果.env文件包含：

allowed_origins=https://siteone.com

那么您的代码应该是这样的：

const ACAOSite = process.env.NODE_ENV == 'production' ? 'https://siteone.com' : 'https://sitetwo.com';

app.use((req, res, next) => {
  res.setHeader('Access-Control-Allow-Origin', ACAOSite);
  res.setHeader('Access-Control-Allow-Credentials', 'true');
  res.setHeader('Access-Control-Allow-Methods', 'GET,HEAD,OPTIONS,POST,PUT,DELETE');
  res.setHeader('Access-Control-Allow-Headers', 'Access-Control-Allow-Headers, Origin,Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, Authorization, access-control-allow-origin');
  next();
});

app.use((req, res, next) => {
  res.setHeader('Access-Control-Allow-Origin', process.env.allowed_origins);
  res.setHeader('Access-Control-Allow-Credentials', 'true');
  res.setHeader('Access-Control-Allow-Methods', 'GET,HEAD,OPTIONS,POST,PUT,DELETE');
  res.setHeader('Access-Control-Allow-Headers', 'Access-Control-Allow-Headers, Origin,Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, Authorization, access-control-allow-origin');
  next();
});

也可以使用多个逗号分隔原点，例如

allowed_origins=https://siteone.com, https://siteone-server2.com

您可能希望将允许的域外部化到某些配置文件中，而不是全部ok。控制允许的源代码而不是使用通配符通常是一种好的做法。我的建议是使用类似于for environment configuration的东西，而不是在代码中使用它。