Testing CORS with cURL

David Dias picture David Dias · Dec 21, 2013 · Viewed 13.7k times · Source

I've been implementing CORS in a lil app I have using node-restify to test it out and it turns out that in the browser, the behaviour is as expected, this means, in a different origin with CORS disabled, it doesn't work, if CORS is enabled, it works.

However, the tricky part is that with CURL, it always works! I've been following this question: How can you debug a CORS request with cURL?

I'm doing this:

curl -H 'Origin: http://example.com' http://cors.somewhere.com

And using the node-restify example to debug

var restify = require('restify');

var srv = restify.createServer();
//srv.use(restify.CORS()); // I enable and disable by uncomment line

function foo(req, res, next) {
        res.send("bananas");
        next();
}

srv.put('/foo', foo);
srv.get('/foo', foo);
srv.del('/foo', foo);
srv.post('/foo', foo);

srv.listen(process.env.PORT || 8080);

What am I missing?

Thank you!

Answer

monsur picture monsur · Dec 21, 2013

It sounds like you are asking if there's a way to prevent curl from making a request at all. This is impossible. curl can always make a request to the server, with or without CORS.

However, curl can also be used to mimic a browser and verify how your server will react to CORS requests. By using the --verbose flag on curl requests, you can see the HTTP request and response headers, and verify that the CORS headers are working as expected. That is what this question covers: How can you debug a CORS request with cURL?

If CORS is enabled, you should see an Access-Control-Allow-Origin header in the response. If CORS is disabled, you should not see any Access-Control-* headers in the response.