DEV Community


Discussion on: Rebel with a CORS

franky47 profile image
François Best

In the case of a web app, if the static front-end is served from a domain name, you'd probably want your backend to allow CORS only for requests coming from that origin.

I know it's not the same use case as your example, which is adding an open CORS on top of a public API, but I was wondering how that would work.

Let's say we want to make a GraphQL API for XKCD, but have it work only with our own front-end (for some reason).
We'd publish the server that queries the XKCD API and exposes a GraphQL endpoint on Now, but allowing CORS only from whatever domain name we've bound to our front-end static server (could also be Now, or Surge, or whatever static hosting service there is out there).