davidbanham
commented
9 years ago That's not actually a job for CORS.
CORS is to prevent someone else injecting coffee into your site and having it executed on your user's browsers.
If we want to stop unauthorised people making requests that affect the production database we need some kind of authentication.
Are we actually looking at stopping bad actors or just guarding against honest errors?
If the latter, a better solution might be to change the database uri based on an environment variable, so that an overt action is required to make requests to the main database.
Just noting that this needs to be done.
The API must only accept requests from the final website domains or else people cloning the repository down will end up making requests against the live database. I believe there are settings that need to be applied at the nodejs layer within server registration.