{"id":17929,"library":"restify-cors-middleware","title":"Restify CORS Middleware","description":"restify-cors-middleware is a library providing W3C-compliant Cross-Origin Resource Sharing (CORS) middleware specifically designed for Restify servers. The current stable version is 1.1.1. This library offers robust control over allowed origins, headers, and preflight requests. Key differentiators include its dynamic handling of `Access-Control-Allow-Origin` by returning the matched origin rather than a simple wildcard, which enhances security. It supports flexible origin specification using strings, wildcards, and regular expressions. The package maintains compatibility with a broad range of Restify versions (2.6.x - 7.x.x) through its peer dependency. While a specific release cadence isn't documented, historical releases show updates addressing security concerns, such as the upgrade to Restify 4.1.x to fix a `negotiator` module vulnerability in version 0.0.7. It is predominantly used in CommonJS environments.","status":"active","version":"1.1.1","language":"javascript","source_language":"en","source_url":"https://github.com/TabDigital/restify-cors-middleware","tags":["javascript","restify","cors","cross origin","headers"],"install":[{"cmd":"npm install restify-cors-middleware","lang":"bash","label":"npm"},{"cmd":"yarn add restify-cors-middleware","lang":"bash","label":"yarn"},{"cmd":"pnpm add restify-cors-middleware","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Core server framework that this middleware integrates with.","package":"restify","optional":false}],"imports":[{"note":"This module is primarily CommonJS. While ESM interop might work, the standard and officially documented usage is `require()`.","wrong":"import corsMiddleware from 'restify-cors-middleware'","symbol":"corsMiddleware","correct":"const corsMiddleware = require('restify-cors-middleware')"}],"quickstart":{"code":"const restify = require('restify');\nconst corsMiddleware = require('restify-cors-middleware');\n\nconst server = restify.createServer({\n  name: 'my-restify-app'\n});\n\nconst cors = corsMiddleware({\n  preflightMaxAge: 5, // Optional: cache preflight responses for 5 seconds\n  origins: [\n    'http://localhost:3000', // Example allowed client origin\n    'http://myfrontend.com',\n    /^https?:\\/\\/staging\\.myfrontend\\.com(:[\\d]+)?$/ // Regex for staging environment\n  ],\n  allowHeaders: ['API-Token', 'X-Requested-With'], // Headers client is allowed to send\n  exposeHeaders: ['API-Token-Expiry', 'X-Custom-Header'] // Headers client is allowed to read\n});\n\nserver.pre(cors.preflight); // Handle preflight OPTIONS requests before routing\nserver.use(cors.actual);    // Handle actual CORS requests and apply headers\n\nserver.get('/hello', (req, res, next) => {\n  res.send({ message: 'Hello from Restify!' });\n  return next();\n});\n\nserver.listen(8080, () => {\n  console.log('%s listening at %s', server.name, server.url);\n});","lang":"javascript","description":"This code sets up a basic Restify server with CORS protection, configuring allowed origins, headers, and demonstrating how to apply the preflight and actual CORS middleware."},"warnings":[{"fix":"Upgrade `restify-cors-middleware` to at least v0.0.7 and ensure your `restify` peer dependency is 4.1.X or newer to address known vulnerabilities.","message":"Older versions (prior to v0.0.7) of `restify-cors-middleware` might depend on `restify` versions vulnerable to security issues, specifically with the `negotiator` module. This could lead to potential security risks.","severity":"breaking","affected_versions":"<0.0.7"},{"fix":"Specify the exact list of allowed origins (strings or regular expressions) to limit cross-origin access to trusted domains only. Avoid `origins: ['*']` unless absolutely necessary and understood.","message":"While `origins: ['*']` is a valid configuration, it comes with significant security implications as it allows requests from any domain. The middleware's internal logic will still return the specific `Origin` from the request, but this does not mitigate the fundamental risk of an open CORS policy.","severity":"gotcha","affected_versions":">=0.0.1"},{"fix":"Ensure that clients making cross-origin requests always include the `Origin` header. For testing purposes, manually add an `Origin` header to simulate browser behavior.","message":"Requests that do not include an `Origin` header (e.g., direct requests from the same origin, cURL requests without `-H 'Origin:...'`) will not receive any CORS-related response headers, as per the W3C spec. This can be a source of confusion during testing or for non-browser clients.","severity":"gotcha","affected_versions":">=0.0.1"},{"fix":"Configure your reverse proxy to include `Vary: Origin` in its caching policy. This ensures that different CORS responses (based on `Origin`) are cached separately, preventing unexpected behavior or security issues.","message":"When using reverse proxies (e.g., Varnish, Nginx, CDNs) in front of your Restify application, incorrect caching configurations can lead to CORS headers being served to the wrong requests. This happens if the proxy does not vary its cache based on the `Origin` request header.","severity":"gotcha","affected_versions":">=0.0.1"}],"env_vars":null,"last_verified":"2026-04-23T00:00:00.000Z","next_check":"2026-07-22T00:00:00.000Z","problems":[{"fix":"Verify that your client-side code sends an `Origin` header for cross-origin requests. Double-check the `origins` configuration in `corsMiddleware` to ensure the client's origin is correctly specified (using exact strings or a matching regular expression).","cause":"The client request might not be sending an `Origin` header, or the `Origin` header sent does not match any of the configured `origins` in the middleware.","error":"CORS headers are missing or incorrect for my client requests."},{"fix":"Update your reverse proxy configuration to include `Vary: Origin` in its caching directives. This instructs the proxy to store separate cached versions for requests originating from different domains.","cause":"A reverse proxy (like Varnish or a CDN) is caching responses without considering the `Origin` header, leading to an `Access-Control-Allow-Origin` value being served inappropriately to subsequent requests from different origins.","error":"My caching layer is serving incorrect CORS headers to different clients."},{"fix":"Upgrade `restify-cors-middleware` to the latest stable version (1.1.1 or newer). Additionally, ensure your `restify` peer dependency is `4.1.X` or higher, as recommended by the `restify-cors-middleware` documentation since v0.0.7.","cause":"You are using an older version of `restify-cors-middleware` or `restify` that contains known vulnerabilities in its dependency tree, specifically affecting `negotiator`.","error":"Security scanner reports vulnerability in 'negotiator' module or Restify dependency."}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}