Having problem with cors - Flask

Hi guys! I am trying to setup restrictions to only allow requests from a certain origin. This is how I have it currently setup but it still allows every request (testing with postman).
app = Flask(__name__)

cors = CORS(app, origins=["https://vetai.vercel.app/"])


@app.route("/")
def home():
return "Hello, world!"


@app.route("/prompt", methods=["POST"])
def prompt():
return "prompt route"


if __name__ == "__main__":
app.run(debug=True)
app = Flask(__name__)

cors = CORS(app, origins=["https://vetai.vercel.app/"])


@app.route("/")
def home():
return "Hello, world!"


@app.route("/prompt", methods=["POST"])
def prompt():
return "prompt route"


if __name__ == "__main__":
app.run(debug=True)
No description
14 Replies
dotfortun
dotfortun15mo ago
I think this is because it isn't actually cross-origin, since both Postman and the service is running on localhost. I ran your example, and then tried to fetch from another origin and got this:
No description
rikisann
rikisannOP15mo ago
Hmm interesanchi Ima host the code on vercel and try it out
dotfortun
dotfortun15mo ago
Sounds like a plan!
rikisann
rikisannOP15mo ago
No description
rikisann
rikisannOP15mo ago
I tried it but still getting back the response Been thinking to just put an API key in env variables and send it in with requests and just run a normal if API key != api key
dotfortun
dotfortun15mo ago
That just got me thinking, and I don't know if this is up to date, but evidently Postman doesn't respect CORS.
rikisann
rikisannOP15mo ago
is that so so I could potentially access through postman stuff blocked out by cors? or stuff that actually matters has more security than that?
rikisann
rikisannOP15mo ago
No description
rikisann
rikisannOP15mo ago
Calling it through console gives me this error for some reason
dotfortun
dotfortun15mo ago
Hrm, one sec.
dotfortun
dotfortun15mo ago
I got this, so I am getting a cors error on my end.
No description
dotfortun
dotfortun15mo ago
CORS is intended to protect end users from leaking their cookies all over the internet, so it isn't actually a robust security measure for protecting your backend. For that you'd probably want to implement some sort of auth flow (flask-jwt-extended is pretty straightforward to implement), or at least use the API key method you described.
rikisann
rikisannOP15mo ago
Sounds good brudda. Thank you so much for the help
dotfortun
dotfortun15mo ago
Not a problem!
Want results from more Discord servers?
Add your server