Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/batterii/cors

Wrapper around koa cors
https://github.com/batterii/cors

Last synced: about 1 month ago
JSON representation

Wrapper around koa cors

Host: GitHub
URL: https://github.com/batterii/cors
Owner: Batterii
Created: 2020-01-07T16:28:53.000Z (almost 5 years ago)
Default Branch: master
Last Pushed: 2022-12-30T19:25:59.000Z (almost 2 years ago)
Last Synced: 2024-10-14T01:41:05.692Z (about 1 month ago)
Language: TypeScript
Size: 1.34 MB
Stars: 0
Watchers: 2
Forks: 0
Open Issues: 13
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# @batterii/cors
This module is a wrapper around [@koa/cors][1] which adds additional features
needed by Batterii.

## Rationale
We should consider opening up PR's for these features on `@koa/cors` in the
future. The GitHub repo for `@koa/cors`, however, has several stagnant pull
requests-- including a minor bug fix of my own-- so we can't really depend on
the maintainers to respond promptly to our requests. For now it's quicker to
just put them here.

## Convenience `origin` Options.
For now, the only features added by this wrapper is better typings, and support
for arrays and regexp patterns in the `origin` option.

### Array Origins
Instead of specifying a single origin to allow, you can specify an array of
them like so:

```ts
import { cors } from '@batterii/cors';

koa.use(cors({
origin: [ 'https://my-host.com', 'https://my-other-host.com' ],
}));
```

This will allow cross-origin requests from pages served at either of the above
origins.

### Regex Origins
You can also sepcify your allowed origins as a regex pattern like so:

```js
import { cors } from '@batterii/cors';

koa.use(cors({
origin: /^https?:\/\/localhost(?::\d+)?\/?$/
}));
```

This will allow cross-origin requests from pages served over both HTTP and HTTPS
from `localhost`, regardless of port number.

#### IMPORTANT NOTE ABOUT REGEX ORIGINS
If you are using a regex origin option in production, you should be very careful
with the regex you use. This regex will almost certainly need to be executed
with every single request to your server, and while regular browser users can't
change their Origin headers, there is nothing stopping an attacker using some
other client program to specify whatever Origin header they like.

This is a wide-open vector for [ReDoS][2] attacks that could easily take down
your whole API service. Therefore, to use this option safely in production, you
need to be absolutely certain that your regex is not vulnerable. You can do this
by following the guidelines described in the linked OWASP article, *or* you can
play on the safe side and only use regex origins for development (the localhost
example above) while explicitly specifying all of your production origins using
an array, as described above.

[1]: https://www.npmjs.com/package/@koa/cors
[2]: https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS