{"id":28398391,"url":"https://github.com/primus/access-control","last_synced_at":"2025-06-28T14:31:10.489Z","repository":{"id":14850577,"uuid":"17573703","full_name":"primus/access-control","owner":"primus","description":"Easily handle HTTP Access Control (CORS) in your applications","archived":false,"fork":false,"pushed_at":"2022-12-31T20:15:13.000Z","size":63,"stargazers_count":33,"open_issues_count":0,"forks_count":7,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-06-18T10:53:42.577Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/primus.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-03-09T21:05:24.000Z","updated_at":"2023-03-03T12:03:48.000Z","dependencies_parsed_at":"2023-01-13T18:09:16.774Z","dependency_job_id":null,"html_url":"https://github.com/primus/access-control","commit_stats":null,"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/primus/access-control","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/primus%2Faccess-control","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/primus%2Faccess-control/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/primus%2Faccess-control/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/primus%2Faccess-control/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/primus","download_url":"https://codeload.github.com/primus/access-control/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/primus%2Faccess-control/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260749870,"owners_count":23056843,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-06-01T04:38:35.843Z","updated_at":"2025-06-28T14:31:10.484Z","avatar_url":"https://github.com/primus.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# HTTP Access-Control (CORS)\n\n[![Version npm](https://img.shields.io/npm/v/access-control.svg?style=flat-square)](https://www.npmjs.com/package/access-control)[![CI](https://img.shields.io/github/actions/workflow/status/primus/access-control/ci.yml?branch=master\u0026label=CI\u0026style=flat-square)](https://github.com/primus/access-control/actions?query=workflow%3ACI+branch%3Amaster)[![Coverage Status](http://img.shields.io/coveralls/primus/access-control/master.svg?style=flat-square)](https://coveralls.io/r/primus/access-control?branch=master)\n\n`access-control` implements HTTP Access Control, which more commonly known as\nCORS according to the W3 specification. The code is dead simple, easy to\nunderstand and therefor also easy to contribute to. `access-control` comes with\na really simple API, so it's super simple, super awesome, super stable. All you\nexpect from a small building block module as this.\n\n## Installation\n\n```\nnpm install --save access-control\n```\n\n## Usage\n\nThe module must first be configured before it can be used to add the correct\nCORS information to your HTTP requests. This is done by suppling the module with\noptions.\n\n```js\n'use strict';\n\nvar access = require('access-control');\n```\n\nAfter requiring the module you can supply the returned function with an options\nobject which can contain the following properties:\n\n\u003cdl\u003e\n  \u003cdt\u003eorigins\u003c/dt\u003e\n  \u003cdd\u003e\n    An Array or comma separated list of origins that are allowed to access the\n    URL. If this option is not supplied it will default to \u003ccode\u003e*\u003c/code\u003e which\n    will allow every origin.\n  \u003c/dd\u003e\n  \u003cdt\u003emethods\u003c/dt\u003e\n  \u003cdd\u003e\n    An Array or comma separated list of HTTP methods that can be used to access\n    the URL. This defaults to GET, HEAD, PUT, POST, DELETE and OPTIONS.\n  \u003c/dd\u003e\n  \u003cdt\u003ecredentials\u003c/dt\u003e\n  \u003cdd\u003e\n    Allow sending of authorization and cookie information in the request. If\n    this option is set to \u003ccode\u003etrue\u003c/code\u003e (which is also the default value) in\n    combination with the \u003ccode\u003eorigins\u003c/code\u003e option to set to \u003ccode\u003e*\u003c/code\u003e we\n    will automatically change the \u003ccode\u003eAccess-Control-Allow-Origin\u003c/code\u003e\n    header to the sent \u003ccode\u003eOrigin\u003c/code\u003e header. As \u003ccode\u003e*\u003c/code\u003e as origin\n    in combination with \u003ccode\u003etrue\u003c/code\u003e as value is not allowed by the\n    specification.\n  \u003c/dd\u003e\n  \u003cdt\u003emaxAge\u003c/dt\u003e\n  \u003cdd\u003e\n    The maximum duration that a client can cache the response of the preflight\n    or \u003ccode\u003eOPTIONS\u003c/code\u003e request. The value can be set in numbers or a human\n    readable string which we will parse with the \u003cstrong\u003ems\u003c/strong\u003e module. We\n    default to 30 days.\n  \u003c/dd\u003e\n  \u003cdt\u003eheaders\u003c/dt\u003e\n  \u003cdd\u003e\n    An Array or comma separated list of headers that is allowed to be sent to\n    the server. This option is disabled by default.\n  \u003c/dd\u003e\n  \u003cdt\u003eexposed\u003c/dt\u003e\n  \u003cdd\u003e\n    An Array or comma separated list of headers that is exposed to the client\n    that makes the request. This option is disabled by default.\n  \u003c/dd\u003e\n\u003c/dl\u003e\n\n```js\nvar cors = access({\n  maxAge: '1 hour',\n  credentials: true,\n  origins: 'http://example.com'\n});\n```\n\nNow the `cors` variable contains a function that should receive your `request`\nand `response`. So it's as easy as:\n\n```js\nvar http = require('http').createServer(function (req, res) {\n  if (cors(req, res)) return;\n\n  res.end('hello world');\n}).listen(8080);\n```\n\nYou might have noticed that we've added an if statement around our `cors`\nfunction call. This is because the module will be answering the preflight\nrequest for you. So when it returns the **boolean** `true` you don't have to\nrespond the request any more. In addition to the answering the option request is\nalso answer the requests with a `403 Forbidden` when the validation of the\nAccess Control is failing.\n\nIn order to not waste to much bandwidth, the CORS headers will only be added if\nthe request contains an `Origin` header, which should be sent by every request\nthat requires HTTP Access Control information.\n\n## middleware\n\nThe library has build-in support for express based middleware (req, res, next).\nIn fact, it's build in to the returned function so all you need to do is:\n\n```js\nvar app = express();\n\napp.use(require('access-control')({ /* options here */ }));\n```\n\nAnd you have CORS handling enabled on your express instance. It's that easy.\n\n## Phonegap \u0026 Origin: null\n\nIf you're using Phonegap, your XHR requests will be sent with `Origin: null` as\nOrigin header. In order to resolve this you must add the domain you are\nrequesting to your origin white list:\n\nhttp://docs.phonegap.com/en/1.9.0/guide_whitelist_index.md.html\n\nThis will ensure that the correct headers will be used for these cross\ndomain/origin requests.\n\n## Related reading\n\nIf you're interested in learning more about HTTP Access Control (CORS) here's a\ngood list to get started with:\n\n- [W3C's CORS Spec](http://www.w3.org/TR/cors/)\n- [HTML5 Rocks CORS Tutorial](http://www.html5rocks.com/en/tutorials/cors/)\n- [Mozilla's HTTP access control (CORS)](https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS)\n- [Mozilla's Server-Side Access Control](https://developer.mozilla.org/en-US/docs/Server-Side_Access_Control)\n- [Enable CORS](http://enable-cors.org)\n- [Same origin policy](http://en.wikipedia.org/wiki/Same_origin_policy)\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprimus%2Faccess-control","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fprimus%2Faccess-control","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprimus%2Faccess-control/lists"}