{"id":10380,"library":"cors","title":"Node.js CORS Middleware","description":"CORS is a Node.js middleware for Express and Connect that simplifies setting Cross-Origin Resource Sharing (CORS) response headers. It helps browsers determine which origins can read responses from your server. The current stable version is 2.8.6. Releases are made periodically to address maintenance and update documentation.","status":"active","version":"2.8.6","language":"javascript","source_language":"en","source_url":"https://github.com/expressjs/cors","tags":["javascript","cors","express","connect","middleware"],"install":[{"cmd":"npm install cors","lang":"bash","label":"npm"},{"cmd":"yarn add cors","lang":"bash","label":"yarn"},{"cmd":"pnpm add cors","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"This package primarily uses CommonJS `require()` syntax.","wrong":"import cors from 'cors'","symbol":"cors","correct":"const cors = require('cors')"}],"quickstart":{"code":"var express = require('express');\nvar cors = require('cors');\nvar app = express();\n\n// Enable all CORS requests for all routes\napp.use(cors());\n\napp.get('/products/:id', function (req, res, next) {\n  res.json({msg: 'Hello'});\n});\n\napp.listen(80, function () {\n  console.log('web server listening on port 80');\n});","lang":"javascript","description":"This example shows how to enable CORS for all routes in an Express application, adding the `Access-Control-Allow-Origin: *` header to all responses."},"warnings":[{"fix":"Understand that CORS is a browser security mechanism. Server-side validation of origins or API keys is necessary for non-browser clients or for blocking unwanted requests.","message":"This package only sets CORS response headers; it does not block requests. CORS enforcement is solely handled by web browsers. Non-browser clients (e.g., cURL, Postman, server-to-server requests) completely ignore CORS headers.","severity":"gotcha","affected_versions":">=2.0.0"},{"fix":"When configuring CORS options, set `optionsSuccessStatus: 200` to ensure compatibility with older clients that expect a 200 OK for pre-flight success.","message":"Some legacy browsers (like IE11 or various SmartTVs) may choke on a 204 status code for successful OPTIONS pre-flight requests.","severity":"gotcha","affected_versions":">=2.0.0"},{"fix":"Modify your dynamic origin function to explicitly call `callback(null, false)` for any origin that should not be allowed, rather than `callback(new Error(...))`.","message":"When using a dynamic `origin` function to validate origins, return `callback(null, false)` for disallowed origins instead of an error. This correctly signals to the browser to block the request without exposing server-side error details.","severity":"gotcha","affected_versions":">=2.0.0"}],"env_vars":null,"last_verified":"2026-04-18T00:00:00.000Z","next_check":"2026-07-17T00:00:00.000Z","problems":[{"fix":"Ensure the `cors()` middleware is correctly applied to your routes. For specific origins, configure the `origin` option in `cors()` (e.g., `cors({ origin: 'http://your-frontend.com' })`). For development, `app.use(cors())` enables all origins.","cause":"The server's response did not include the 'Access-Control-Allow-Origin' header, or it did not match the client's origin.","error":"Access to XMLHttpRequest at '...' from origin '...' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource."},{"fix":"If your client sends custom headers (e.g., `Authorization`), specify them in the `allowedHeaders` option of the `cors()` middleware (e.g., `cors({ allowedHeaders: ['Content-Type', 'Authorization'] })`).","cause":"The server's preflight (OPTIONS) response did not include the necessary 'Access-Control-Allow-Headers' header, often when custom headers are used.","error":"Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Headers' header is present on the requested resource."},{"fix":"Set the `credentials` option to `true` in your `cors()` middleware configuration (e.g., `cors({ origin: 'http://your-frontend.com', credentials: true })`). Also, ensure your client-side fetch/XHR request has `credentials: 'include'`.","cause":"The client is sending credentials (e.g., cookies, HTTP authentication), but the server did not include `Access-Control-Allow-Credentials: true` in its response.","error":"Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at ... (Reason: CORS header 'Access-Control-Allow-Credentials' missing)."}],"ecosystem":"npm"}