How to protect Route Handlers from requests made outside my website
Unanswered
American Crocodile posted this in #help-forum
American CrocodileOP
I'm using the App Router, and have multiple Route Handlers for my API's, but I was surprised to know that my friend was able to send requests to my Route Handlers using Postman from his PC.
I thought that by default they were protected because the headers in NextJS are following a same-origin policy.
I thought that by default they were protected because the headers in NextJS are following a same-origin policy.
1 Reply
American Crow
Web APIs are public or at least available on the internet by definition. CORS are suggestions by the server which browsers may follow or may not. Postman does not follow any CORS suggestions that's why the request goes through. CORS is not a tool for limiting access. You'd have to do that via IP Whitelisting or other methods.