Node.js CORS Middleware

2.8.6 · active · verified Sat Apr 18

CORS is a Node.js middleware for Express and Connect that simplifies setting Cross-Origin Resource Sharing (CORS) response headers. It helps browsers determine which origins can read responses from your server. The current stable version is 2.8.6. Releases are made periodically to address maintenance and update documentation.

Common errors

```
Access to XMLHttpRequest at '...' from origin '...' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
```
cause The server's response did not include the 'Access-Control-Allow-Origin' header, or it did not match the client's origin.

fix Ensure the `cors()` middleware is correctly applied to your routes. For specific origins, configure the `origin` option in `cors()` (e.g., `cors({ origin: 'http://your-frontend.com' })`). For development, `app.use(cors())` enables all origins.
```
Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Headers' header is present on the requested resource.
```
cause The server's preflight (OPTIONS) response did not include the necessary 'Access-Control-Allow-Headers' header, often when custom headers are used.

fix If your client sends custom headers (e.g., `Authorization`), specify them in the `allowedHeaders` option of the `cors()` middleware (e.g., `cors({ allowedHeaders: ['Content-Type', 'Authorization'] })`).
```
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at ... (Reason: CORS header 'Access-Control-Allow-Credentials' missing).
```
cause The client is sending credentials (e.g., cookies, HTTP authentication), but the server did not include `Access-Control-Allow-Credentials: true` in its response.

fix Set the `credentials` option to `true` in your `cors()` middleware configuration (e.g., `cors({ origin: 'http://your-frontend.com', credentials: true })`). Also, ensure your client-side fetch/XHR request has `credentials: 'include'`.

Warnings

gotcha This package only sets CORS response headers; it does not block requests. CORS enforcement is solely handled by web browsers. Non-browser clients (e.g., cURL, Postman, server-to-server requests) completely ignore CORS headers.
Fix: Understand that CORS is a browser security mechanism. Server-side validation of origins or API keys is necessary for non-browser clients or for blocking unwanted requests.
gotcha Some legacy browsers (like IE11 or various SmartTVs) may choke on a 204 status code for successful OPTIONS pre-flight requests.
Fix: When configuring CORS options, set `optionsSuccessStatus: 200` to ensure compatibility with older clients that expect a 200 OK for pre-flight success.
gotcha When using a dynamic `origin` function to validate origins, return `callback(null, false)` for disallowed origins instead of an error. This correctly signals to the browser to block the request without exposing server-side error details.
Fix: Modify your dynamic origin function to explicitly call `callback(null, false)` for any origin that should not be allowed, rather than `callback(new Error(...))`.

Install

npm install cors npm
yarn add cors yarn
pnpm add cors pnpm

Imports

cors
wrong:
```
import cors from 'cors'
```
correct:
```
const cors = require('cors')
```
This package primarily uses CommonJS `require()` syntax.

Quickstart

This example shows how to enable CORS for all routes in an Express application, adding the `Access-Control-Allow-Origin: *` header to all responses.

var express = require('express');
var cors = require('cors');
var app = express();

// Enable all CORS requests for all routes
app.use(cors());

app.get('/products/:id', function (req, res, next) {
  res.json({msg: 'Hello'});
});

app.listen(80, function () {
  console.log('web server listening on port 80');
});

view raw JSON →