• Stars
    star
    5,961
  • Rank 6,750 (Top 0.2 %)
  • Language
    JavaScript
  • License
    MIT License
  • Created over 11 years ago
  • Updated 7 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Node.js CORS middleware

cors

NPM Version NPM Downloads Build Status Test Coverage

CORS is a node.js package for providing a Connect/Express middleware that can be used to enable CORS with various options.

Follow me (@troygoode) on Twitter!

Installation

This is a Node.js module available through the npm registry. Installation is done using the npm install command:

$ npm install cors

Usage

Simple Usage (Enable All CORS Requests)

var express = require('express')
var cors = require('cors')
var app = express()

app.use(cors())

app.get('/products/:id', function (req, res, next) {
  res.json({msg: 'This is CORS-enabled for all origins!'})
})

app.listen(80, function () {
  console.log('CORS-enabled web server listening on port 80')
})

Enable CORS for a Single Route

var express = require('express')
var cors = require('cors')
var app = express()

app.get('/products/:id', cors(), function (req, res, next) {
  res.json({msg: 'This is CORS-enabled for a Single Route'})
})

app.listen(80, function () {
  console.log('CORS-enabled web server listening on port 80')
})

Configuring CORS

var express = require('express')
var cors = require('cors')
var app = express()

var corsOptions = {
  origin: 'http://example.com',
  optionsSuccessStatus: 200 // some legacy browsers (IE11, various SmartTVs) choke on 204
}

app.get('/products/:id', cors(corsOptions), function (req, res, next) {
  res.json({msg: 'This is CORS-enabled for only example.com.'})
})

app.listen(80, function () {
  console.log('CORS-enabled web server listening on port 80')
})

Configuring CORS w/ Dynamic Origin

This module supports validating the origin dynamically using a function provided to the origin option. This function will be passed a string that is the origin (or undefined if the request has no origin), and a callback with the signature callback(error, origin).

The origin argument to the callback can be any value allowed for the origin option of the middleware, except a function. See the configuration options section for more information on all the possible value types.

This function is designed to allow the dynamic loading of allowed origin(s) from a backing datasource, like a database.

var express = require('express')
var cors = require('cors')
var app = express()

var corsOptions = {
  origin: function (origin, callback) {
    // db.loadOrigins is an example call to load
    // a list of origins from a backing database
    db.loadOrigins(function (error, origins) {
      callback(error, origins)
    })
  }
}

app.get('/products/:id', cors(corsOptions), function (req, res, next) {
  res.json({msg: 'This is CORS-enabled for an allowed domain.'})
})

app.listen(80, function () {
  console.log('CORS-enabled web server listening on port 80')
})

Enabling CORS Pre-Flight

Certain CORS requests are considered 'complex' and require an initial OPTIONS request (called the "pre-flight request"). An example of a 'complex' CORS request is one that uses an HTTP verb other than GET/HEAD/POST (such as DELETE) or that uses custom headers. To enable pre-flighting, you must add a new OPTIONS handler for the route you want to support:

var express = require('express')
var cors = require('cors')
var app = express()

app.options('/products/:id', cors()) // enable pre-flight request for DELETE request
app.del('/products/:id', cors(), function (req, res, next) {
  res.json({msg: 'This is CORS-enabled for all origins!'})
})

app.listen(80, function () {
  console.log('CORS-enabled web server listening on port 80')
})

You can also enable pre-flight across-the-board like so:

app.options('*', cors()) // include before other routes

NOTE: When using this middleware as an application level middleware (for example, app.use(cors())), pre-flight requests are already handled for all routes.

Configuring CORS Asynchronously

var express = require('express')
var cors = require('cors')
var app = express()

var allowlist = ['http://example1.com', 'http://example2.com']
var corsOptionsDelegate = function (req, callback) {
  var corsOptions;
  if (allowlist.indexOf(req.header('Origin')) !== -1) {
    corsOptions = { origin: true } // reflect (enable) the requested origin in the CORS response
  } else {
    corsOptions = { origin: false } // disable CORS for this request
  }
  callback(null, corsOptions) // callback expects two parameters: error and options
}

app.get('/products/:id', cors(corsOptionsDelegate), function (req, res, next) {
  res.json({msg: 'This is CORS-enabled for an allowed domain.'})
})

app.listen(80, function () {
  console.log('CORS-enabled web server listening on port 80')
})

Configuration Options

  • origin: Configures the Access-Control-Allow-Origin CORS header. Possible values:
    • Boolean - set origin to true to reflect the request origin, as defined by req.header('Origin'), or set it to false to disable CORS.
    • String - set origin to a specific origin. For example if you set it to "http://example.com" only requests from "http://example.com" will be allowed.
    • RegExp - set origin to a regular expression pattern which will be used to test the request origin. If it's a match, the request origin will be reflected. For example the pattern /example\.com$/ will reflect any request that is coming from an origin ending with "example.com".
    • Array - set origin to an array of valid origins. Each origin can be a String or a RegExp. For example ["http://example1.com", /\.example2\.com$/] will accept any request from "http://example1.com" or from a subdomain of "example2.com".
    • Function - set origin to a function implementing some custom logic. The function takes the request origin as the first parameter and a callback (called as callback(err, origin), where origin is a non-function value of the origin option) as the second.
  • methods: Configures the Access-Control-Allow-Methods CORS header. Expects a comma-delimited string (ex: 'GET,PUT,POST') or an array (ex: ['GET', 'PUT', 'POST']).
  • allowedHeaders: Configures the Access-Control-Allow-Headers CORS header. Expects a comma-delimited string (ex: 'Content-Type,Authorization') or an array (ex: ['Content-Type', 'Authorization']). If not specified, defaults to reflecting the headers specified in the request's Access-Control-Request-Headers header.
  • exposedHeaders: Configures the Access-Control-Expose-Headers CORS header. Expects a comma-delimited string (ex: 'Content-Range,X-Content-Range') or an array (ex: ['Content-Range', 'X-Content-Range']). If not specified, no custom headers are exposed.
  • credentials: Configures the Access-Control-Allow-Credentials CORS header. Set to true to pass the header, otherwise it is omitted.
  • maxAge: Configures the Access-Control-Max-Age CORS header. Set to an integer to pass the header, otherwise it is omitted.
  • preflightContinue: Pass the CORS preflight response to the next handler.
  • optionsSuccessStatus: Provides a status code to use for successful OPTIONS requests, since some legacy browsers (IE11, various SmartTVs) choke on 204.

The default configuration is the equivalent of:

{
  "origin": "*",
  "methods": "GET,HEAD,PUT,PATCH,POST,DELETE",
  "preflightContinue": false,
  "optionsSuccessStatus": 204
}

For details on the effect of each CORS header, read this article on web.dev.

Demo

A demo that illustrates CORS working (and not working) using React is available here: https://node-cors-client.netlify.com

Code for that demo can be found here:

License

MIT License

Author

Troy Goode ([email protected])

More Repositories

1

express

Fast, unopinionated, minimalist web framework for node.
JavaScript
63,539
star
2

multer

Node.js middleware for handling `multipart/form-data`.
JavaScript
11,285
star
3

morgan

HTTP request logger middleware for node.js
JavaScript
7,790
star
4

session

Simple session middleware for Express
JavaScript
6,163
star
5

body-parser

Node.js body parsing middleware
JavaScript
5,376
star
6

expressjs.com

HTML
5,138
star
7

compression

Node.js compression middleware
JavaScript
2,722
star
8

csurf

CSRF token middleware
2,299
star
9

cookie-parser

Parse HTTP request cookies
JavaScript
1,907
star
10

generator

Express' application generator
JavaScript
1,803
star
11

serve-static

Serve static files
JavaScript
1,368
star
12

cookie-session

Simple cookie-based session middleware
JavaScript
1,104
star
13

vhost

virtual domain hosting
JavaScript
758
star
14

serve-favicon

favicon serving middleware
JavaScript
620
star
15

method-override

Override HTTP verbs.
JavaScript
614
star
16

response-time

Response time header for node.js
JavaScript
458
star
17

serve-index

Serve directory listings
JavaScript
435
star
18

errorhandler

Development-only error handler middleware
JavaScript
423
star
19

express-paginate

Paginate middleware
JavaScript
419
star
20

connect-multiparty

connect middleware for multiparty
JavaScript
347
star
21

express-namespace

Adds namespaced routing capabilities to Express
JavaScript
345
star
22

timeout

Request timeout middleware for Connect/Express
JavaScript
312
star
23

express-expose

Expose raw js, objects, and functions to the client-side (awesome for sharing utils, settings, current user data etc)
JavaScript
299
star
24

basic-auth-connect

Basic auth middleware for node and connect
JavaScript
129
star
25

domain-middleware

`uncaughtException` middleware for connect, base on `domain` module.
JavaScript
101
star
26

api-error-handler

Express error handlers for JSON APIs
JavaScript
100
star
27

flash

JavaScript
92
star
28

restful-router

Simple RESTful url router.
JavaScript
86
star
29

urlrouter

http url router, `connect` missing router middleware
JavaScript
59
star
30

discussions

Public discussions for the Express.js organization
55
star
31

vhostess

virtual host sub-domain mapping
JavaScript
24
star
32

connect-markdown

Auto convert markdown to html for connect.
JavaScript
20
star
33

expressjs.github.io

16
star
34

connect-rid

connect request id middleware
JavaScript
11
star
35

routification

DEPRECATED
JavaScript
10
star
36

mime-extended

DEPRECATED - Please use mime-types instead.
JavaScript
7
star
37

statusboard

A project status board for the Express community
6
star
38

.github

5
star
39

set-type

DEPRECATED - Please use mime-types instead.
JavaScript
5
star
40

security-wg

Express.js Security Working Group
4
star
41

Admin

Admin repository for the Express Organization, including pillarjs and jshttp
2
star