Corser

2.0.1 · abandoned · verified Wed Apr 22

Corser is a highly configurable middleware for Node.js designed to handle Cross-Origin Resource Sharing (CORS). It offers a flexible approach to managing CORS preflight requests and setting appropriate response headers, supporting both static whitelists for allowed origins and dynamic origin checking through a callback function. The package's current stable version is 2.0.1, released in August 2016. Due to the lack of updates since then, its release cadence is effectively non-existent, indicating an abandoned or legacy status despite an 'active' project badge from its active development period. Its key differentiators at the time included robust compatibility with Connect and Express middleware, as well as plain Node.js `http` servers, providing granular control over CORS policies for various server setups. Developers should be aware of its CommonJS-only nature and lack of ongoing maintenance.

Common errors

```
TypeError: corser.create is not a function
```
cause Attempting to use `import corser from 'corser';` or `import * as corser from 'corser';` which incorrectly handles the CommonJS default export, or trying to destructure a non-existent named export.

fix Use the correct CommonJS `require` syntax: `const corser = require('corser');` then `corser.create()`.
```
ReferenceError: require is not defined
```
cause Attempting to use `require('corser')` within an ES Module (type: 'module' in package.json or .mjs file) context in Node.js.

fix Either convert your project to CommonJS (remove 'type: module' from package.json) or use a different CORS middleware that supports ES Modules. You could also explore `createRequire` for advanced interoperability, but it's generally not recommended for simple imports.
```
Access to fetch at '...' from origin '...' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
```
cause The `origins` configuration in `corser.create()` is either too restrictive, the requested origin is not whitelisted, or the dynamic origin function is failing to match.

fix Ensure the `origins` array explicitly includes the client's origin (e.g., `['http://localhost:3000']`) or that your dynamic origin function correctly returns `true` for the callback. Check for typos in the origin URL. Also ensure Corser middleware is applied correctly and not skipped.
```
The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed.
```
cause CORS middleware is being applied multiple times in the request processing chain, leading to duplicate 'Access-Control-Allow-Origin' headers.

fix Review your middleware setup to ensure `app.use(corser.create())` or similar is called only once per request or once during app initialization. This often happens if it's included in a generic router that's also mounted globally.

Warnings

breaking In version 2.0.0, the default behavior for preflight requests changed: they are now automatically closed. To retain previous behavior (where you handle OPTIONS requests yourself), you must explicitly set `endPreflightRequests` to `false` in the configuration object.
Fix: If you need to handle `OPTIONS` requests manually, configure Corser with `corser.create({ endPreflightRequests: false })` and implement your own handler.
breaking The callback function for dynamic origin checking changed its signature in v2.0.0 from `(matches)` to `(err, matches)`. Existing implementations relying on the old signature will break.
Fix: Update your dynamic origin callback function to accept an error parameter: `function(origin, callback) { callback(null, matches); }`.
gotcha Corser is a CommonJS-only package. Attempting to import it using ES Module `import` syntax will result in errors in modern Node.js environments unless a compatible transpiler or loader is used.
Fix: Always use `const corser = require('corser');` for importing. If in an ESM project, consider using a different, actively maintained CORS middleware that supports ESM.
gotcha The package has not been updated since August 2016. This means it lacks support for newer Node.js features, potential security updates, or bug fixes for modern browser behaviors beyond what was addressed in v2.0.1 for Chrome 52.
Fix: Evaluate newer, actively maintained CORS middleware solutions like the 'cors' package (npmjs.com/package/cors) for modern applications.

Install

npm install corser npm
yarn add corser yarn
pnpm add corser pnpm

Imports

corser
wrong:
```
import corser from 'corser';
import { create } from 'corser';
```
correct:
```
const corser = require('corser');
```
Corser is a CommonJS-only package. It does not support ES Modules directly without transpilation or a CommonJS loader. The main export is the 'corser' object which contains the 'create' method.
corser.create
wrong:
```
import { create } from 'corser';
const corserMiddleware = create();
```
correct:
```
const corser = require('corser');
const corserMiddleware = corser.create();
```
The primary API is the 'create' method on the default exported 'corser' object, which returns a middleware function.

Quickstart

This example demonstrates how to integrate Corser as middleware within an Express.js application, allowing all cross-origin requests by default.

const express = require('express');
const corser = require('corser');

const app = express();

// Configure Corser to allow all origins by default.
// For production, specify a whitelist: corser.create({ origins: ['http://localhost:3000'] })
app.use(corser.create());

app.get('/', function (req, res) {
    res.writeHead(200, { 'Content-Type': 'text/plain' });
    res.end('Nice weather today, huh?');
});

app.listen(1337, () => {
    console.log('Server listening on http://localhost:1337');
});

// To run this example:
// 1. npm install express corser
// 2. node your_script.js

view raw JSON →