{"id":17086,"library":"corser","title":"Corser","description":"Corser is a highly configurable middleware for Node.js designed to handle Cross-Origin Resource Sharing (CORS). It offers a flexible approach to managing CORS preflight requests and setting appropriate response headers, supporting both static whitelists for allowed origins and dynamic origin checking through a callback function. The package's current stable version is 2.0.1, released in August 2016. Due to the lack of updates since then, its release cadence is effectively non-existent, indicating an abandoned or legacy status despite an 'active' project badge from its active development period. Its key differentiators at the time included robust compatibility with Connect and Express middleware, as well as plain Node.js `http` servers, providing granular control over CORS policies for various server setups. Developers should be aware of its CommonJS-only nature and lack of ongoing maintenance.","status":"abandoned","version":"2.0.1","language":"javascript","source_language":"en","source_url":"https://github.com/agrueneberg/Corser","tags":["javascript","cors","cross-origin resource sharing","connect","express","middleware"],"install":[{"cmd":"npm install corser","lang":"bash","label":"npm"},{"cmd":"yarn add corser","lang":"bash","label":"yarn"},{"cmd":"pnpm add corser","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Common integration for web server middleware, used in examples.","package":"express","optional":true},{"reason":"Common integration for web server middleware, used in examples.","package":"connect","optional":true}],"imports":[{"note":"Corser is a CommonJS-only package. It does not support ES Modules directly without transpilation or a CommonJS loader. The main export is the 'corser' object which contains the 'create' method.","wrong":"import corser from 'corser';\nimport { create } from 'corser';","symbol":"corser","correct":"const corser = require('corser');"},{"note":"The primary API is the 'create' method on the default exported 'corser' object, which returns a middleware function.","wrong":"import { create } from 'corser';\nconst corserMiddleware = create();","symbol":"corser.create","correct":"const corser = require('corser');\nconst corserMiddleware = corser.create();"}],"quickstart":{"code":"const express = require('express');\nconst corser = require('corser');\n\nconst app = express();\n\n// Configure Corser to allow all origins by default.\n// For production, specify a whitelist: corser.create({ origins: ['http://localhost:3000'] })\napp.use(corser.create());\n\napp.get('/', function (req, res) {\n    res.writeHead(200, { 'Content-Type': 'text/plain' });\n    res.end('Nice weather today, huh?');\n});\n\napp.listen(1337, () => {\n    console.log('Server listening on http://localhost:1337');\n});\n\n// To run this example:\n// 1. npm install express corser\n// 2. node your_script.js","lang":"javascript","description":"This example demonstrates how to integrate Corser as middleware within an Express.js application, allowing all cross-origin requests by default."},"warnings":[{"fix":"If you need to handle `OPTIONS` requests manually, configure Corser with `corser.create({ endPreflightRequests: false })` and implement your own handler.","message":"In version 2.0.0, the default behavior for preflight requests changed: they are now automatically closed. To retain previous behavior (where you handle OPTIONS requests yourself), you must explicitly set `endPreflightRequests` to `false` in the configuration object.","severity":"breaking","affected_versions":">=2.0.0"},{"fix":"Update your dynamic origin callback function to accept an error parameter: `function(origin, callback) { callback(null, matches); }`.","message":"The callback function for dynamic origin checking changed its signature in v2.0.0 from `(matches)` to `(err, matches)`. Existing implementations relying on the old signature will break.","severity":"breaking","affected_versions":">=2.0.0"},{"fix":"Always use `const corser = require('corser');` for importing. If in an ESM project, consider using a different, actively maintained CORS middleware that supports ESM.","message":"Corser is a CommonJS-only package. Attempting to import it using ES Module `import` syntax will result in errors in modern Node.js environments unless a compatible transpiler or loader is used.","severity":"gotcha","affected_versions":">=0.4.0"},{"fix":"Evaluate newer, actively maintained CORS middleware solutions like the 'cors' package (npmjs.com/package/cors) for modern applications.","message":"The package has not been updated since August 2016. This means it lacks support for newer Node.js features, potential security updates, or bug fixes for modern browser behaviors beyond what was addressed in v2.0.1 for Chrome 52.","severity":"gotcha","affected_versions":">=0.4.0"}],"env_vars":null,"last_verified":"2026-04-22T00:00:00.000Z","next_check":"2026-07-21T00:00:00.000Z","problems":[{"fix":"Use the correct CommonJS `require` syntax: `const corser = require('corser');` then `corser.create()`.","cause":"Attempting to use `import corser from 'corser';` or `import * as corser from 'corser';` which incorrectly handles the CommonJS default export, or trying to destructure a non-existent named export.","error":"TypeError: corser.create is not a function"},{"fix":"Either convert your project to CommonJS (remove 'type: module' from package.json) or use a different CORS middleware that supports ES Modules. You could also explore `createRequire` for advanced interoperability, but it's generally not recommended for simple imports.","cause":"Attempting to use `require('corser')` within an ES Module (type: 'module' in package.json or .mjs file) context in Node.js.","error":"ReferenceError: require is not defined"},{"fix":"Ensure the `origins` array explicitly includes the client's origin (e.g., `['http://localhost:3000']`) or that your dynamic origin function correctly returns `true` for the callback. Check for typos in the origin URL. Also ensure Corser middleware is applied correctly and not skipped.","cause":"The `origins` configuration in `corser.create()` is either too restrictive, the requested origin is not whitelisted, or the dynamic origin function is failing to match.","error":"Access to fetch at '...' from origin '...' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource."},{"fix":"Review your middleware setup to ensure `app.use(corser.create())` or similar is called only once per request or once during app initialization. This often happens if it's included in a generic router that's also mounted globally.","cause":"CORS middleware is being applied multiple times in the request processing chain, leading to duplicate 'Access-Control-Allow-Origin' headers.","error":"The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed."}],"ecosystem":"npm","meta_description":null}