I have added below code in RED.js to enables header for Node-RED. But Access-Control-Allow-Origin header is not coming as . its coming as *.
Other headers are reflecting in node-red.

app.use(function(req, res, next) {
  res.setHeader("Access-Control-Allow-Origin", "");
  res.setHeader('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
  res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, Content-Length, X-Requested-With');
  res.setHeader("Content-Security-Policy","frame-ancestors 'none'");        
  res.setHeader("X-Frame-Options", "DENY");
  res.setHeader("X-XSS-Protection", "1; mode=block")
  res.setHeader("Strict-Transport-Security", "max-age=31536000")

I want to implement this in node-red level.

Can you tell me how can whitelist some domain in node-red?
Can I put node-red headers from settings.js as well?

You seem to be amending the core of Node-RED to make it possible to access Node-RED endpoints from an unsecured google location.

This strikes me as unwise on several levels.

Firstly that I doubt that Nick will want this in the core code. Certainly I wouldn't be happy to see it. Additionally, I'm not sure that it is even necessary to put it there but we don't have enough information about what you are trying to do to be able to help.

Secondly, the purpose of those headers is to enable secure connections between domains and so trying to include a non-TLS connected domain is probably not wise. If I remember correctly, I'm not even sure that you can do anything other than "*" for a non-TLS connection.

Not unless you can explain more about what you are trying to achieve and why you can't do it at the flow level rather than having to hack the core.

I want to Configure CORS in Node-RED.

1 Like