I'm building an application which I allow users to cross-origin-ly send request to my domain. My only concern is that, how can I check which address is sending the requests?
What I have found:
By using
function checkOrigin() {
//req represents a correct request parameter
return req.headers[ 'x-forwarded-for' ] ||
req.connection.remoteAddress ||
req.socket.remoteAddress ||
req.connection.socket.remoteAddress;
}
I am able to grab the IP of the server from which the request was made. Am I correct? Please correct me if I'm wrong. But then, it leads to two extra concerns:
1) What if the user is using shared hosting service? Doesn't it mean all users without dedicated IP will be seen as one? In that case, the best way to deal with it is to allow domain name, not IP, in my opinion. For example, I authorize only requests from www.trustedDomain.com, and doesn't care about its IP.
2) Then how can I retrieve the host name (domain name) that is sending the request?
Is this check a trusted way to make CORS available? Please advise any better solution to enlighten me.