CORS-enabled server not denying requests

Question

I am trying to use express Cors with my resitfy server and it doesn\'t seem to be denying requests coming from other ips. I am working locally so I tried setting origin to a

Answer 1

CORS does not prevent anyone from sending GET or POST requests to your application or exposed API URL.

Instead, it indicates to the web browser that AJAX requests are allowed to this server, from the domain they are executed.

But only AJAX requests executed from a domain are CORS-controlled. Entering the URL in the web browser will not activate CORS: it is not a firewall.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

The order of event is:

1. Domain A executes AJAX on User's browser to request API URL on Domain B

2. User's browser sends a basic primary request to target Domain B and checks if CORS are allowed for Domain A

3. If allowed, AJAX request is executed otherwise null is returned