Server actions allowedOrigins not working
Answered
Wuchang bream posted this in #help-forum
Wuchang breamOP
Shouldn't this disallow all server actions beside localhost? i still can access it from my browser
experimental: {
serverActions: {
allowedOrigins: ['localhost:3000'],
},Answered by Anay-208 | Ping in replies
Summary:
- allowedOrigin only works if the request is executed from browser, if its executed from something like Postman, it can be easily spoofed
- allowedOrigin only works if the request is executed from browser, if its executed from something like Postman, it can be easily spoofed
26 Replies
Giant panda
It would allow server actions from the same domain and from localhost (which would be the same location?). I’m a little unsure what you are achieve here can you provide some more detail?
@Giant panda It would allow server actions from the same domain and from localhost (which would be the same location?). I’m a little unsure what you are achieve here can you provide some more detail?
Wuchang breamOP
from the same domain is alway allowed you mean?
@Wuchang bream from the same domain is alway allowed you mean?
Giant panda
Yes according to the documentation from the same domain is always allowed. https://nextjs.org/docs/app/api-reference/config/next-config-js/serverActions
Wuchang breamOP
+
@Wuchang bream Shouldn't this disallow all server actions beside localhost? i still can access it from my browser
experimental: {
serverActions: {
allowedOrigins: ['localhost:3000'],
},
Why can't you access in the browser, error screenshot?
Giant panda
I thought they could access from the browser or was that a typo on the original question?
@Anay-208 | Ping in replies Why can't you access in the browser, error screenshot?
Wuchang breamOP
i can, but i want to make sure that server actions can only be accessed from my site
i thought that if i only have localhost nothing beside localhost should work
@Wuchang bream i thought that if i only have localhost nothing beside localhost should work
It isn’t necessary.
I personally have executed server actions by using postman
I personally have executed server actions by using postman
@Anay-208 | Ping in replies It isn’t necessary.
I personally have executed server actions by using postman
Wuchang breamOP
so it doesnt work fully?
@Wuchang bream so it doesnt work fully?
allowedOrigins is only referring to a frontend
like frontend request
If I'm right, the header
Origin is checked for the requestNextjs would just check the
The frontend can't spoof it, most browsers won't allow, but postman can allow
Origin. The frontend can't spoof it, most browsers won't allow, but postman can allow
Summary:
- allowedOrigin only works if the request is executed from browser, if its executed from something like Postman, it can be easily spoofed
- allowedOrigin only works if the request is executed from browser, if its executed from something like Postman, it can be easily spoofed
Answer
@Wuchang bream do you have any other Qs?
csrf tokens but probably not fully right?
@Wuchang bream how to block postman too?
that is not possible at all, I wouldn't recommend, Since there are countless ways to bypass it
If the browser can access it, means postman can access it
@Anay-208 | Ping in replies that is not possible at all, I wouldn't recommend, Since there are countless ways to bypass it
You can check for postman related headers and block, but it doesn't make any sense since it can be removed
ty for answers
Wuchang breamOP
you can maybe add button for that