{"id":19229600,"url":"https://github.com/agrueneberg/corser","last_synced_at":"2025-04-05T06:06:04.967Z","repository":{"id":57209574,"uuid":"2593318","full_name":"agrueneberg/Corser","owner":"agrueneberg","description":"CORS middleware for Node.js","archived":false,"fork":false,"pushed_at":"2018-07-20T18:03:20.000Z","size":1935,"stargazers_count":91,"open_issues_count":2,"forks_count":11,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-03-29T05:05:18.422Z","etag":null,"topics":["cors","express","middleware","nodejs","rest","xmlhttprequest"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/agrueneberg.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2011-10-17T16:59:55.000Z","updated_at":"2021-08-29T11:16:39.000Z","dependencies_parsed_at":"2022-09-10T23:41:37.732Z","dependency_job_id":null,"html_url":"https://github.com/agrueneberg/Corser","commit_stats":null,"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/agrueneberg%2FCorser","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/agrueneberg%2FCorser/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/agrueneberg%2FCorser/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/agrueneberg%2FCorser/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/agrueneberg","download_url":"https://codeload.github.com/agrueneberg/Corser/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247294537,"owners_count":20915340,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cors","express","middleware","nodejs","rest","xmlhttprequest"],"created_at":"2024-11-09T15:34:48.926Z","updated_at":"2025-04-05T06:06:04.933Z","avatar_url":"https://github.com/agrueneberg.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"Corser\n=======\n\n[![Project Status: Active - The project has reached a stable, usable state and is being actively developed.](http://www.repostatus.org/badges/0.1.0/active.svg)](http://www.repostatus.org/#active)\n[![Build Status](https://secure.travis-ci.org/agrueneberg/Corser.png)](http://travis-ci.org/agrueneberg/Corser)\n\nA highly configurable, middleware compatible implementation of [CORS](http://www.w3.org/TR/cors/) for [Node.js](http://nodejs.org/).\n\n\nChangelog\n---------\n\n### 2.0.1 (August 16, 2016)\n\n* Add workaround for [Chrome 52 sending empty `Access-Control-Request-Headers` header](https://bugs.chromium.org/p/chromium/issues/detail?id=633729).\n\n### 2.0.0 (March 22, 2014)\n\n* Preflight requests are automatically closed. If there is a need for handling `OPTIONS` requests, check the `endPreflightRequests` option.\n* The parameters of the callback function in dynamic origin checking are now `(err, matches)` instead of just `(matches)`.\n\n\nExamples\n--------\n\n### How to use Corser as a middleware in Express\n\nSee `example/express/` for a working example.\n\n    var express, corser, app;\n\n    express = require(\"express\");\n    corser = require(\"corser\");\n\n    app = express();\n\n    app.use(corser.create());\n\n    app.get(\"/\", function (req, res) {\n        res.writeHead(200);\n        res.end(\"Nice weather today, huh?\");\n    });\n\n    app.listen(1337);\n\n### How to use Corser as a middleware in Connect\n\nSee `example/connect/` for a working example.\n\n    var connect, corser, app;\n\n    connect = require(\"connect\");\n    corser = require(\"corser\");\n\n    app = connect();\n\n    app.use(corser.create());\n\n    app.use(function (req, res) {\n        res.writeHead(200);\n        res.end(\"Nice weather today, huh?\");\n    });\n\n    app.listen(1337);\n\n### How to use Corser with plain `http`\n\n    var http, corser, corserRequestListener;\n\n    http = require(\"http\");\n    corser = require(\"corser\");\n\n    // Create Corser request listener.\n    corserRequestListener = corser.create();\n\n    http.createServer(function (req, res) {\n        // Route req and res through the request listener.\n        corserRequestListener(req, res, function () {\n            res.writeHead(200);\n            res.end(\"Nice weather today, huh?\");\n        });\n    }).listen(1337);\n\n\nAPI\n---\n\n### Creating a Corser request listener\n\nCreating a Corser request listener that generates the appropriate response headers to enable CORS is as simple as:\n\n    corser.create()\n\nThis is the equivalent of setting a response header of `Access-Control-Allow-Origin: *`. If you want to restrict the origins, or allow more sophisticated request or response headers, you have to pass a configuration object to `corser.create`.\n\nCorser will automatically end preflight requests for you. A preflight request is a special `OPTIONS` request that the browser sends under certain conditions to negotiate with the server what methods, request headers and response headers are allowed for a CORS request. If you need to use the `OPTIONS` method for other stuff, just set `endPreflightRequests` to `false` and terminate those requests yourself:\n\n    var corserRequestListener;\n\n    corserRequestListener = corser.create({\n        endPreflightRequests: false\n    });\n\n    corserRequestListener(req, res, function () {\n        if (req.method === \"OPTIONS\") {\n            // End CORS preflight request.\n            res.writeHead(204);\n            res.end();\n        } else {\n            // Implement other HTTP methods.\n        }\n    });\n\n\n#### Configuration Object\n\nA configuration object with the following properties can be passed to `corser.create`.\n\n##### `origins`\n\nA case-sensitive whitelist of origins. If the request comes from an origin that is not in this list, it will not be handled by CORS. To accept all origins (the `Access-Control-Allow-Origin: *` behavior), omit the property or set it to an empty array (`[]`).\n\nTo allow for dynamic origin checking, a function `(origin, callback)` can be passed instead of an array. `origin` is the Origin header, `callback` is a function `(err, matches)`, where `matches` is a boolean flag that indicates whether the given Origin header matches or not.\n\nDefault: all origins are accepted.\n\n##### `methods`\n\nAn uppercase whitelist of methods. If the request uses a method that is not in this list, it will not be handled by CORS.\n\nSetting a value here will overwrite the list of default simple methods. To not lose them, concat the methods you want to add with `corser.simpleMethods`: `corser.simpleMethods.concat([\"PUT\", \"DELETE\"])`.\n\nDefault: simple methods (`GET`, `HEAD`, `POST`).\n\n##### `requestHeaders`\n\nA case-insensitive whitelist of request headers. If the request uses a request header that is not in this list, it will not be handled by CORS.\n\nSetting a value here will overwrite the list of default simple request headers. To not lose them, concat the request headers you want to add with `corser.simpleRequestHeaders`: `corser.simpleRequestHeaders.concat([\"Authorization\"])`.\n\nDefault: simple request headers (`Accept`, `Accept-Language`, `Content-Language`, `Content-Type`, `Last-Event-ID`).\n\n##### `responseHeaders`\n\nA case-insensitive whitelist of response headers. Any response header that is not in this list will be filtered out by the user-agent (the browser).\n\nSetting a value here will overwrite the list of default simple response headers. To not lose them, concat the response headers you want to add with `corser.simpleResponseHeaders`: `corser.simpleResponseHeaders.concat([\"ETag\"])`.\n\nDefault: simple response headers (`Cache-Control`, `Content-Language`, `Content-Type`, `Expires`, `Last-Modified`, `Pragma`).\n\n##### `supportsCredentials`\n\nA boolean that indicates if cookie credentials can be transferred as part of a CORS request. Currently, only a few HTML5 elements can benefit from this setting.\n\nDefault: `false`.\n\n##### `maxAge`\n\nAn integer that indicates the maximum amount of time in seconds that a preflight request is kept in the client-side preflight result cache.\n\nDefault: not set.\n\n##### `endPreflightRequests`\n\nA boolean that indicates if CORS preflight requests should be automatically closed.\n\nDefault: `true`.\n\n\nFAQ\n---\n\n### Request returns `Origin X is not allowed by Access-Control-Allow-Origin`\n\nCheck if the `Origin` header of your request matches one of the origins provided in the `origins` property of the configuration object. If you didn't set any `origins` property, jump to the next question.\n\nIf that does not help, your request might use a non-simple method or one or more non-simple headers (see next question). According to the specification, the set of simple methods is `GET`, `HEAD`, and `POST`, and the set of simple request headers is `Accept`, `Accept-Language`, `Content-Language`, `Content-Type`, and `Last-Event-ID`. If your request uses **any** other method or header, you have to explicitly list them in the `methods` or `requestHeaders` property of the configuration object.\n\n#### Example\n\nYou want to allow requests that use an `X-Requested-With` header. Pass the following configuration object to `corser.create`:\n\n    corser.create({\n        requestHeaders: corser.simpleRequestHeaders.concat([\"X-Requested-With\"])\n    });\n\n\n### Request returns `Request header field Content-Type is not allowed by Access-Control-Allow-Headers`\n\nA default configuration will only work if the client sends a \"simple\" request, i.e., `GET`, `HEAD`, `POST` as method, and some headers such as `Accept`, `Accept-Language`, `Content-Language`, and `Content-Type`, etc. `Content-Type` has an important restriction: only `application/x-www-form-urlencoded`, `multipart/form-data`, and `text/plain` are allowed.\n\nTypically the `Content-Type` of an API will be `application/json`, and this is not allowed by default. `Content-Type` needs to be explicitly specified in the configuration object under the `requestHeaders` key:\n\n#### Example\n\n    corser.create({\n        requestHeaders: corser.simpleRequestHeaders.concat([\"Content-Type\"])\n    });\n\n\n### Getting a response header returns `Refused to get unsafe header \"X\"`\n\nYour browser blocks every non-simple response headers that was not explicitly allowed in the preflight request. The set of simple response headers is `Cache-Control`, `Content-Language`, `Content-Type`, `Expires`, `Last-Modified`, `Pragma`. If you want to access **any** other response header, you have to explicitly list them in the `responseHeaders` property of the configuration object.\n\n#### Example\n\nYou want to allow clients to read the `ETag` header of a response. Pass the following configuration object to `corser.create`:\n\n    corser.create({\n        responseHeaders: corser.simpleResponseHeaders.concat([\"ETag\"])\n    });\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fagrueneberg%2Fcorser","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fagrueneberg%2Fcorser","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fagrueneberg%2Fcorser/lists"}