CloudFlare and Server Side Whitelisting for CORS

Anuj Varma — Wed, 18 Jun 2025 16:18:09 +0000

Overview

The CORs headers need to be set explicitly on the server. For some websites, CloudFlare can be used to control CORS header logic at the edge.

Note that you will also need to ensure that Origin Server denies all IPs except the CloudFlare IP (this will need to be AT the server level, not cloudlfare). This will capture all the use cases where clients are DIRECTLY accessing the I.P. address of the website (instead of the URL, which CloudFlare will address)

How a Server Explicitly Sets CORS Headers for an HTTP Request

A server explicitly sets CORS headers by including them in the HTTP response to a cross-origin request. These headers instruct the browser whether or not to allow frontend JavaScript from another origin to access the response data.

Example: CORS Headers in an HTTP Response

Access-Control-Allow-Origin: https://example-client.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Credentials: true

How to Set CORS Headers in Different Environments

1. Node.js / Express

app.use((req, res, next) => {
  res.header("Access-Control-Allow-Origin", "https://example-client.com");
  res.header("Access-Control-Allow-Methods", "GET,POST,PUT,DELETE");
  res.header("Access-Control-Allow-Headers", "Content-Type, Authorization");
  res.header("Access-Control-Allow-Credentials", "true");
  next();
});

Or use the built-in middleware:

const cors = require('cors');

const corsOptions = {
  origin: "https://example-client.com",
  methods: "GET,POST,PUT,DELETE",
  credentials: true
};

app.use(cors(corsOptions));

2. Python / Flask

from flask import Flask
from flask_cors import CORS

app = Flask(__name__)
CORS(app, resources={r"/api/*": {"origins": "https://example-client.com"}}, supports_credentials=True)

3. Apache HTTP Server


  Header set Access-Control-Allow-Origin "https://example-client.com"
  Header set Access-Control-Allow-Methods "GET,POST,PUT,DELETE"
  Header set Access-Control-Allow-Headers "Content-Type, Authorization"
  Header set Access-Control-Allow-Credentials "true"

4. Nginx

location /api/ {
  add_header 'Access-Control-Allow-Origin' 'https://example-client.com' always;
  add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE';
  add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type';
  add_header 'Access-Control-Allow-Credentials' 'true';
}

Preflight Requests (OPTIONS)

For requests that include custom headers or use non-simple HTTP methods (like PUT, DELETE), browsers send a preflight request using OPTIONS.

To support that, servers should handle OPTIONS requests and return appropriate CORS headers.

Example in Node.js:

app.options("*", (req, res) => {
  res.header("Access-Control-Allow-Origin", "https://example-client.com");
  res.header("Access-Control-Allow-Methods", "GET,POST,PUT,DELETE");
  res.header("Access-Control-Allow-Headers", "Content-Type, Authorization");
  res.sendStatus(204);
});

Security Note

Avoid using:

Access-Control-Allow-Origin: *

if you’re sending cookies or Authorization headers. In such cases, use a specific origin and also set:

Access-Control-Allow-Credentials: true

Using Cloudflare to Maintain a Dynamic Origin Whitelist

If your API is hosted behind Cloudflare, you can use Cloudflare Workers or Cloudflare Gateway Rules to dynamically control and enforce CORS logic at the edge — before the request even reaches your origin server.

Example Using a Cloudflare Worker

addEventListener("fetch", event => {
  event.respondWith(handleRequest(event.request));
});

const allowedOrigins = [
  "https://example-client.com",
  "https://admin.example.com"
];

async function handleRequest(request) {
  const origin = request.headers.get("Origin");
  const response = await fetch(request);
  const newHeaders = new Headers(response.headers);

  if (allowedOrigins.includes(origin)) {
    newHeaders.set("Access-Control-Allow-Origin", origin);
    newHeaders.set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
    newHeaders.set("Access-Control-Allow-Headers", "Authorization, Content-Type");
    newHeaders.set("Access-Control-Allow-Credentials", "true");
  }

  return new Response(response.body, {
    status: response.status,
    statusText: response.statusText,
    headers: newHeaders
  });
}

This gives you full control over origin validation and CORS behavior at the network edge, improving performance and offloading logic from your app servers.

You can even maintain the whitelist in a KV store or external API and update it dynamically without redeploying infrastructure.

The post CloudFlare and Server Side Whitelisting for CORS appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

Concealing email on your website from web crawlers and spammers

Anuj Varma — Thu, 08 Sep 2011 23:38:34 +0000

Say you want to display a contact email on your website – but are worried about crawlers, spammers etc. picking it up and making your life miserable. There’s a few workarounds – but this one is about as elegant as it gets. In effect, instead of writing out your email inside the mailto: tag, let some javascript code spit it out for you (javascript is good at spitting out html). Not only that – but let it construct it for you from broken up components (e.g. – for an email address = joe@joessite.com you just pass it joe, joessite and 0 – the 0 denotes a .com). The javascript will construct the full email address for you from these pieces. In effect, your actual email address is not listed ANYWHERE on the site (it is created dynamically by javascript), so there’s no chance of a crawler, spammer being able to read it.

Include the following javascript (emailconcealer.js) in your file (either inline or referenced).

Code Snippet

// EmailConcealer.js 
 
var tld_ = new Array()
 
tld_[0] = "com";
 
tld_[1] = "org";
 
tld_[2] = "net";
 
tld_[3] = "ws";
 
tld_[4] = "info";
 
tld_[10] = "co.uk";
 
tld_[11] = "org.uk";
 
tld_[12] = "gov.uk";
 
tld_[13] = "ac.uk";
 
var topDom_ = 13;
 
var m_ = "mailto:";
 
var a_ = "@";
 
var d_ = ".";
 
function mail2(name, dom, tl, params, display) {
 
    document.write(' + m_ + e(name, dom, tl) + params + '">' + display + '');
 
}
 
function e(name, dom, tl) {
 
    var s = name + a_;
 
    if (tl != -2) {
 
        s += dom;
 
        if (tl >= 0)
 
            s += d_ + tld_[tl];
 
    }
 
    else
 
        s += swapper(dom);
 
    return s;
 
}
 
function swapper(d) {
 
    var s = "";
 
    for (var i = 0; i < d.length; i += 2)
 
        if (i + 1 == d.length)
 
            s += d.charAt(i)
 
        else
 
            s += d.charAt(i + 1) + d.charAt(i);
 
    return s.replace(/\?/g, '.');

2. If you are inside an ASP.NET content page (or master page), you will need to reference the script within the Page_Load of the content page (or master page). Otherwise, proceed to step 3.

Code Snippet

protected void Page_Load(object sender, EventArgs e)
    {
        Page.ClientScript.RegisterClientScriptInclude(“selective”, ResolveUrl(@”scripts\emailconcealer.js”));
        if (!Master.Page.ClientScript.IsStartupScriptRegistered(“alert”))
        {
            Master.Page.ClientScript.RegisterStartupScript
                (this.GetType(), “alert”, “insideJS();”, true);
        }
    } 

3. Insert the following

See an example in action

See the email link on my contact form on this website for a live example.

http://cut.ms/bne8

Summary

Don’t be intimidated by spammers, crawlers into hiding your email address on your website. There’s a way to have your cake (put your email link) and eat it too (not let crawlers decipher it).

The post Concealing email on your website from web crawlers and spammers appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

Tips and Tricks for Web Apps Archives - Anuj Varma, Hands-On Technology Architect, Clean Air Activist