{"id":20315796,"url":"https://github.com/flipeador/node-http-cors","last_synced_at":"2026-05-08T05:55:06.544Z","repository":{"id":157621908,"uuid":"594925705","full_name":"flipeador/node-http-cors","owner":"flipeador","description":"Node.js HTTP CORS middleware.","archived":false,"fork":false,"pushed_at":"2023-08-15T15:41:37.000Z","size":10,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-14T12:53:12.008Z","etag":null,"topics":["content-security-policy","cors","cross-origin-resource-sharing","cross-site-request-forgery","cross-site-scripting","express","javascript","middleware","nodejs","same-origin-policy"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/flipeador.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-01-30T02:27:18.000Z","updated_at":"2024-06-21T03:37:48.000Z","dependencies_parsed_at":null,"dependency_job_id":"1ea3a302-f58e-4a31-a833-368796e95adc","html_url":"https://github.com/flipeador/node-http-cors","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flipeador%2Fnode-http-cors","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flipeador%2Fnode-http-cors/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flipeador%2Fnode-http-cors/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flipeador%2Fnode-http-cors/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/flipeador","download_url":"https://codeload.github.com/flipeador/node-http-cors/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241818902,"owners_count":20025210,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["content-security-policy","cors","cross-origin-resource-sharing","cross-site-request-forgery","cross-site-scripting","express","javascript","middleware","nodejs","same-origin-policy"],"created_at":"2024-11-14T18:21:51.830Z","updated_at":"2025-12-02T08:03:35.995Z","avatar_url":"https://github.com/flipeador.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Cross-Origin Resource Sharing\n\nSimplifies the handling of [Cross-origin Resource Sharing][cors] (CORS).\n\n### Features\n\n- Use [CORS][cors] as a middleware in [Express][express].\n- Set the [CORS][cors] headers of an HTTP response.\n- Configure [CORS][cors] not only for the entire server, but also for individual routes.\n\n\u003e [!NOTE]\n\u003e This is a lightweight alternative library to [cors][express-cors] with no dependencies.\n\n### Information\n\nThe [Same-Origin Policy][sop] (SOP) is a browser security mechanism that restricts some HTTP requests made between different origins.\nIt helps isolate potentially malicious documents and reducing possible attack vectors.\nTwo URLs are part of the same origin if they have the same scheme, host, and port.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/flipeador/node-http-cookies/assets/url.png\"/\u003e\n\u003c/p\u003e\n\nThe following interactions are not affected by [SOP][sop]: links, redirects, form submissions and HTML embedding.\n\nThe [CORS][cors] consists of a set of HTTP headers that indicates whether a request can be shared **cross-origin**.\n\n- A [CORS][cors] request includes the [`Origin`][origin-header] header, which indicates the [URI][uri] that caused the request.\n- The [`Origin`][origin-header] header is also included for all requests whose method is neither [`GET`][get] nor [`HEAD`][head].\n- The server must properly set the [`Access-Control-Allow-Origin`][acc-ctrl-a-origin] header.\n- A response to a [CORS][cors] request can use any [status][status] code.\n\nA [preflight request][prefreq] is a \"light\" HTTP request using the [`OPTIONS`][options] method that checks to see if the [CORS protocol][cors-protocol] is understood in order to determine if the actual request is safe to send, this also helps to prevent the server from unnecessarily performing actions from untrusted origins.\n\n- A [preflight request][prefreq] also includes the [`Access-Control-Request-Method`][acc-ctrl-r-method] header, which indicates the HTTP method that will be used when the actual request is made.\n- The server must properly set the [`Access-Control-Allow-Methods`][acc-ctrl-a-methods] and [`Access-Control-Allow-Headers`][acc-ctrl-a-headers] headers, and optionally the [`Access-Control-Max-Age`][acc-ctrl-max-age] header.\n- A response to a [preflight request][prefreq] request is restricted to an [ok status][ok] (typically `200`).\n- For a [preflight request][prefreq], [credentials mode][fetch-params] is always **same-origin** (it excludes credentials), but for any subsequent [CORS][cors] requests it might not be. Support therefore needs to be indicated as part of the HTTP response to the [preflight request][prefreq] as well.\n\nRequests that meet all of the following conditions do not trigger a [preflight request][prefreq]:\n\n- One of the allowed methods: [`GET`][get], [`HEAD`][head] or [`POST`][post].\n- The request contains headers automatically set by the [user agent][user-agent], [forbidden headers][forbidden-headers] and [CORS-safelisted headers][safe-headers].\n- The [Content-Type][content-type] header can contain one of the following values: `text/plain`, `application/x-www-form-urlencoded` or `multipart/form-data`.\n- No event listeners are registered on any [`XMLHttpRequestUpload`][xmlhttpreq] object.\n- No [ReadableStream][rstream] object is used in the request.\n\n\u003e [!NOTE]\n\u003e If the [user agent][user-agent] does not trigger a [preflight request][prefreq] (i.e. the request meets the criteria for a simple request), the server will not have the possibility to block the **actual request** beforehand, which will cause the request to be processed normally, although the response will be blocked by the browser if it does not satisfy the [CORS][cors].\n\nThe [`Access-Control-Expose-Headers`][acc-ctrl-e-headers] and [`Access-Control-Allow-Credentials`][acc-ctrl-a-credentials] headers can also be included in both types of requests.\n\nThe [`Access-Control-Allow-Credentials`][acc-ctrl-a-credentials] header works in conjunction with the [credentials mode][fetch-params] of the [Fetch API][fetch-api].\n\n- Tells browsers whether to expose the response to the frontend JavaScript code.\n- In a [preflight request][prefreq], indicates whether the **actual request** can be made using credentials.\n\n\u003e [!NOTE]\n\u003e - Credentials are cookies, authorization headers, or TLS client certificates.\n\u003e - Credentials are used when the [user agent][user-agent] should send or receive them in cross-origin requests.\n\u003e - By default, credentials are sent if the request is on the same origin as the calling script.\n\u003e - Some cookies may still be sent if the request is same-site, regardless of whether it is cross-origin or not.\n\n```js\n// Using Fetch with credentials.\nawait fetch('http://example.com/', {\n    credentials: 'include'\n});\n```\n\n\u003e [!WARNING]\n\u003e Sharing responses and allowing requests with credentials is rather unsafe, and extreme care has to be taken to avoid the [confused deputy problem][confused-deputy]. See [CORS protocol and credentials][cors-prot-cred].\n\nIn addition to [CORS][cors], the HTTP [Content Security Policy][csp] (CSP) response header extends an additional level of resource-level security to a website by preventing content from another source from being loaded. This helps guard against [Cross-site Scripting][xss] (XSS) attacks.\n\nFurther reading:\n\n- \u003chttps://github.com/flipeador/node-http-cookies\u003e\n- \u003chttps://jub0bs.com/posts/2021-01-29-great-samesite-confusion\u003e\n- \u003chttps://jub0bs.com/posts/2022-08-04-scraping-the-bottom-of-the-cors-barrel-part1\u003e\n\n## Installation\n\n```\nnpm i flipeador/node-http-cors#semver:^1.0.0\n```\n\n## Examples\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003ch4\u003eExpress\u003c/h4\u003e\u003c/summary\u003e\n\n```js\nimport express from 'express';\nimport cors from '@flipeador/node-http-cors';\n\nconst app = express();\n\napp.use(cors({\n    // Indicates the allowed origins.\n    // The wildcard (*) cannot be used with credentials.\n    origin: [\n        /^https?:\\/\\/localhost:\\d+/u,\n        /^https?:\\/\\/192.168.\\d+.\\d+:\\d+/u,\n        'https://www.example.com'\n    ],\n    // Allows cross-origin credentials.\n    // await fetch(..., { credentials: 'include' });\n    credentials: true\n}));\napp.use(express.json());\n\napp.listen(8080, () =\u003e {\n    console.log('Server is running!');\n});\n```\n\n\u003c/details\u003e\n\n## License\n\nThis project is licensed under the **Apache License 2.0**. See the [license file](LICENSE) for details.\n\n\u003c!-- REFERENCE LINKS --\u003e\n[express]: https://github.com/expressjs/express\n[express-cors]: https://github.com/expressjs/cors\n\n[cors]: https://developer.mozilla.org/docs/Web/HTTP/CORS \"Cross-Origin Resource Sharing\"\n[sop]: https://developer.mozilla.org/docs/Web/Security/Same-origin_policy \"Same-origin Policy\"\n[csp]: https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy \"Content Security Policy\"\n[xss]: https://developer.mozilla.org/docs/Glossary/Cross-site_scripting \"Cross-site Scripting\"\n\n[cors-prot-cred]: https://fetch.spec.whatwg.org/#cors-protocol-and-credentials \"Fetch spec CORS protocol and credentials\"\n[cors-protocol]: https://fetch.spec.whatwg.org/#cors-protocol \"CORS Protocol\"\n[forbidden-headers]: https://fetch.spec.whatwg.org/#forbidden-header-name \"Fetch spec Forbidden header name\"\n[safe-headers]: https://fetch.spec.whatwg.org/#cors-safelisted-request-header \"Fetch spec CORS-safelisted request-header\"\n[prefreq]: https://developer.mozilla.org/docs/Glossary/Preflight_request \"Preflight Request\"\n[origin-header]: https://developer.mozilla.org/docs/Web/HTTP/Headers/Origin \"HTTP Origin Header\"\n\n[acc-ctrl-a-origin]: https://developer.mozilla.org/docs/Web/HTTP/Headers/Access-Control-Allow-Origin\n[acc-ctrl-e-headers]: https://developer.mozilla.org/docs/Web/HTTP/Headers/Access-Control-Expose-Headers\n[acc-ctrl-a-credentials]: https://developer.mozilla.org/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials\n[acc-ctrl-a-methods]: https://developer.mozilla.org/docs/Web/HTTP/Headers/Access-Control-Allow-Methods\n[acc-ctrl-a-headers]: https://developer.mozilla.org/docs/Web/HTTP/Headers/Access-Control-Allow-Headers\n[acc-ctrl-r-method]: https://developer.mozilla.org/docs/Web/HTTP/Headers/Access-Control-Request-Method\n[acc-ctrl-max-age]: https://developer.mozilla.org/docs/Web/HTTP/Headers/Access-Control-Max-Age\n[status]: https://developer.mozilla.org/docs/Web/HTTP/Status \"HTTP Status Codes\"\n[ok]: https://developer.mozilla.org/docs/Web/HTTP/Status#successful_responses \"HTTP Status Codes (successful responses)\"\n[fetch-api]: https://developer.mozilla.org/es/docs/Web/API/Fetch_API \"Fetch Api\"\n[fetch-params]: https://developer.mozilla.org/docs/Web/API/fetch#parameters \"fetch() parameters\"\n[uri]: https://en.wikipedia.org/wiki/Uniform_Resource_Identifier \"Uniform Resource Identifier\"\n[options]: https://developer.mozilla.org/docs/Web/HTTP/Methods/OPTIONS \"HTTP OPTIONS Method\"\n[head]: https://developer.mozilla.org/docs/Web/HTTP/Methods/HEAD \"HTTP HEAD Method\"\n[get]: https://developer.mozilla.org/docs/Web/HTTP/Methods/GET \"HTTP GET Method\"\n[post]: https://developer.mozilla.org/docs/Web/HTTP/Methods/POST \"HTTP POST Method\"\n[rstream]: https://developer.mozilla.org/docs/Web/API/ReadableStream\n[flipeador-cookies]: https://github.com/flipeador/node-http-cookies \"@flipeador/node-http-cookies\"\n[confused-deputy]: https://en.wikipedia.org/wiki/Confused_deputy_problem \"Confused Deputy Problem\"\n[user-agent]: https://developer.mozilla.org/docs/Glossary/User_agent\n[content-type]: https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Type \"HTTP Content-Type Header\"\n[xmlhttpreq]: https://developer.mozilla.org/docs/Web/API/XMLHttpRequest\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflipeador%2Fnode-http-cors","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fflipeador%2Fnode-http-cors","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflipeador%2Fnode-http-cors/lists"}