Server actions allowedOrigins not working
Answered
Bombay-duck posted this in #help-forum
Bombay-duckOP
Shouldn't this disallow all server actions beside localhost? i still can access it from my browser
experimental: {
serverActions: {
allowedOrigins: ['localhost:3000'],
},Answered by "use php"
Summary:
- allowedOrigin only works if the request is executed from browser, if its executed from something like Postman, it can be easily spoofed
- allowedOrigin only works if the request is executed from browser, if its executed from something like Postman, it can be easily spoofed
26 Replies
Giant panda
It would allow server actions from the same domain and from localhost (which would be the same location?). I’m a little unsure what you are achieve here can you provide some more detail?
@Giant panda It would allow server actions from the same domain and from localhost (which would be the same location?). I’m a little unsure what you are achieve here can you provide some more detail?
Bombay-duckOP
from the same domain is alway allowed you mean?
@Bombay-duck from the same domain is alway allowed you mean?
Giant panda
Yes according to the documentation from the same domain is always allowed. https://nextjs.org/docs/app/api-reference/config/next-config-js/serverActions
Bombay-duckOP
+
@Bombay-duck Shouldn't this disallow all server actions beside localhost? i still can access it from my browser
experimental: {
serverActions: {
allowedOrigins: ['localhost:3000'],
},
Why can't you access in the browser, error screenshot?
Giant panda
I thought they could access from the browser or was that a typo on the original question?
@"use php" Why can't you access in the browser, error screenshot?
Bombay-duckOP
i can, but i want to make sure that server actions can only be accessed from my site
i thought that if i only have localhost nothing beside localhost should work
@Bombay-duck i thought that if i only have localhost nothing beside localhost should work
It isn’t necessary.
I personally have executed server actions by using postman
I personally have executed server actions by using postman
@"use php" It isn’t necessary.
I personally have executed server actions by using postman
Bombay-duckOP
so it doesnt work fully?
@Bombay-duck so it doesnt work fully?
allowedOrigins is only referring to a frontend
like frontend request
If I'm right, the header
Origin is checked for the requestNextjs would just check the
The frontend can't spoof it, most browsers won't allow, but postman can allow
Origin. The frontend can't spoof it, most browsers won't allow, but postman can allow
Summary:
- allowedOrigin only works if the request is executed from browser, if its executed from something like Postman, it can be easily spoofed
- allowedOrigin only works if the request is executed from browser, if its executed from something like Postman, it can be easily spoofed
Answer
@Bombay-duck do you have any other Qs?
csrf tokens but probably not fully right?
@Bombay-duck how to block postman too?
that is not possible at all, I wouldn't recommend, Since there are countless ways to bypass it
If the browser can access it, means postman can access it
@"use php" that is not possible at all, I wouldn't recommend, Since there are countless ways to bypass it
You can check for postman related headers and block, but it doesn't make any sense since it can be removed
ty for answers
Bombay-duckOP
you can maybe add button for that