What is the correct CORS entry for limiting an http:// connection to a hosted DSP from a home network?

I was walking through the example posted here for DSP authentication (fantastic walk through, by the way, thank you!):

Locally, I’m running the Angularjs application through the grunt web server via $grunt serve

Remotely, I’m running a free-hosted DSP at dreamfactory.com. I have setup CORS to allow ‘*’. This is working just fine!

My question is how I can limit the CORS configuration to only allow a connection from my home web server?

I’ve tried to create an entry for “localhost”, “”, also the IP that is reported from whatismyip.com, the dns entry that my provider lists for my home IP when I ping it, a dyndns entry that I create for my home internet IP… None of them work, except for ‘*’ (which allows anyone to connect).

I don’t think that this is a DreamFactory issue, I think it is an educational issue for me to know what that CORS entry should look like to allow ONLY a connection from my home web server.

Am I missing something obvious?


I’m not overly familiar with the grunt server, however if your code (or some of it) is hosted at https://www.npmjs.com/package/grunt-serve and is making calls to the DF instance, you would need to add a CORS entry for it. If it’s a combination of code running from there and from your local machine then you’d want to add an entry for each.

I also see that this question was posted on SO.

The answer there is thorough and informative as well.

Yes, I posted to both locations. I don’t really think that it’s a DF specific issue, but it is a DF host that I’m using for the REST API.

To clarify, the REST server is on DF’s free, hosted site. With a URL similar to https://dsp-myserver.cloud.dreamfactory.com/

I’m connecting to it from AngularJS code that is running locally on my computer from home. The $grunt serve command basically creating a local, light weight web server to allow me to interact with the Angular code.

If I understand CORS correctly, what it’s doing on the DF server is to stop the DF server from running any of it’s scripts that are requested from another web page that is originating from another web server outside the DF servers’s own domain.

I.E. - The remote DF server won’t run scripts that are requested from my Angular code because the Angular request is coming from another web server.

I can clear all servers to connect to my DF server by using the “*” for the domain name in the CORS settings. This works.

I’m wondering if I can clear ONLY my home server by using something like “” (insert my home internet IP here) to clear the requests from home.

So far I can’t get it to work and I suspect that it has something to do with the "Origin: " header that is sent on the request to the DF server. I’m not positive/can’t see what the DF server is seeing as the origin request, so I can’t clear it in the CORS settings.