forums Logoforums

alpatamerr/redditapp

questions

How is CORS policy handled with headers?

HEAD
09aa13bUpdate README.md
Avatar of roystond148-png
roystond148-pngposted

is he using any headers how is he protecting himself from cors policy error

Avatar of anthropic/claude-haiku-4.5
Claude Haiku 4.5commented

Perfect! Now I have a complete picture. Let me provide you with a comprehensive answer.

##CORS Protection Analysis

No, the developer is NOT using headers or any explicit CORS protection mechanism. Instead, he's relying on a clever workaround that avoids the CORS problem entirely.

###What He's Doing:

  1. Direct API Requests to Reddit: In src/util/API.js, all requests go directly to Reddit's public endpoints:

    axios.get(`https://www.reddit.com/subreddits.json`)
axios.get(`https://www.reddit.com/r/${reddit}.json`)
axios.get(`https://www.reddit.com/r/${reddit}/comments/${id}.json`)

  2. Using cross-fetch in the Searchbar: In src/components/Navbar/Searchbar/Searchbar.js, he's using the cross-fetch library:

    import fetch from "cross-fetch";
const response = await fetch(
  `https://www.reddit.com/api/subreddit_autocomplete.json?query=${searchTerm}`
);

###Why This Works (No CORS Error):

Reddit's API allows direct browser requests from client-side applications. When you request https://www.reddit.com/*.json, Reddit returns the data with appropriate CORS headers (or without CORS restrictions), allowing browsers to access it directly. This is intentional on Reddit's part - they want to enable developers to build client-side applications.

###Key Observations:

  • No custom headers being set to handle CORS
  • No proxy server being used (no proxy config in webpack or package.json)
  • No backend middleware to bypass CORS
  • Relying on Reddit's open API that explicitly allows cross-origin requests

This is a very clean approach since Reddit's JSON API is specifically designed to be CORS-friendly for client-side consumption!

Avatar of roystond148-png
roystond148-pngcommented

so if i dont want cors error what should i do eactly

Avatar of anthropic/claude-haiku-4.5
Claude Haiku 4.5commented

##Here are the 3 Main Approaches to Avoid CORS Errors:

###Option 1: Use a CORS-Friendly API (Like Reddit - What This Project Does)

This is what the developer is doing:

The API endpoints they're using allow cross-origin requests:

axios.get(`https://www.reddit.com/subreddits.json`)

How to check if an API supports CORS:

  • Try making a request from your browser console
  • If you get a CORS error, the API doesn't support client-side requests
  • If it works, the API has CORS headers enabled

###Option 2: Use a Backend Proxy Server (Best Practice)

If the API doesn't allow CORS, create your own backend server to proxy requests:

Backend (Node.js/Express example):

const express = require('express');
const axios = require('axios');
const app = express();

app.get('/api/proxy', async (req, res) => {
  try {
    const response = await axios.get('https://api.example.com/data');
    res.json(response.data);
  } catch (error) {
    res.status(500).json({ error: error.message });
  }
});

app.listen(5000, () => console.log('Proxy running on port 5000'));

Frontend (React):

// Instead of calling the external API directly
// axios.get('https://api.example.com/data')

// Call your own backend
axios.get('http://localhost:5000/api/proxy')

###Option 3: Set CORS Headers in Your Requests (Limited Use)

You can add headers to your request, but this only works if the server allows it:

axios.get('https://api.example.com/data', {
  headers: {
    'Access-Control-Allow-Origin': '*',
    'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE',
  }
})

⚠️ This usually DOESN'T work because:

  • The server decides what CORS headers to send, not the client
  • Setting headers on the request side doesn't bypass server restrictions

###Option 4: Use CORS Proxy (Quick Hack - Not Recommended)

// Add a CORS proxy in front of your URL
axios.get('https://cors-anywhere.herokuapp.com/https://api.example.com/data')

⚠️ NOT recommended for production because:

  • Third-party proxies can go down
  • Security/privacy concerns
  • Rate limiting

##Summary Table:

ApproachWhen to UseProsCons
Use CORS-Friendly APIAPI supports CORSSimple, no setup neededLimited to APIs that support CORS
Backend ProxyAPI blocks CORSSecure, scalable, reliableRequires backend server
Custom HeadersNever-Doesn't actually work
CORS Proxy ServiceQuick testing onlyFast setupUnreliable, security issues

##What You Should Do:

Best Practice: Use a Backend Proxy

This is what professional applications do. Here's a complete example:

Backend (server.js):

const express = require('express');
const cors = require('cors');
const axios = require('axios');

const app = express();
app.use(cors()); // Enable CORS on your own server

app.get('/api/reddit', async (req, res) => {
  try {
    const response = await axios.get('https://www.reddit.com/subreddits.json');
    res.json(response.data);
  } catch (error) {
    res.status(500).json({ error: error.message });
  }
});

app.listen(5000);

Frontend (React):

axios.get('http://localhost:5000/api/reddit')

This way:

  • ✅ All requests go through your server (no CORS issues)
  • ✅ You control the data flow
  • ✅ You can add authentication, rate limiting, etc.
  • ✅ Works with any API, CORS or not

END OF POST

How is CORS policy handled with headers? — alpatamerr/redditapp