Can I only accept traffic from certain requesting domains with Expressjs?

accept a request from example.com is where you have things goofed up. That request isn't coming from example.com. That request is coming from some individual computer who is displaying a web page that they got from example.com. Anyone on the internet can load and run that same web page.

Authentication is typically how you limit who can access what. You require the user to enter some form of credential. You can limit access by client IP (with various limitations), but you've already indicated you don't think that will work.

The usual schemes for limiting who can access your server's functionality are:

1. Use some sort of authentication scheme (require user to enter a credential to "log in"). This can be your own auth scheme or can piggy back on some other existing auth scheme.
2. Whitelist access to your server from only a specific client IP address or range of IP addresses. This is not used very often because it has all sorts of limitations.

FYI, as long as your server does not allow cross origin requests (which it will not by default), then some other web site can't access your server via a browser (the browser will prevent it). But, any script junkie or hacker still can. Only authentication or IP filtering will prevent a hacker from accessing your service.