Skip to content

Instantly share code, notes, and snippets.

@cuppster

cuppster/node-express-cors-middleware.js

Created April 9, 2012 16:02
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save cuppster/2344435 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save cuppster/2344435 to your computer and use it in GitHub Desktop.
Download ZIP
express.js middleware to support CORS pre-flight requests
Raw
node-express-cors-middleware.js
app.use(express.methodOverride());
// ## CORS middleware
//
// see: http://stackoverflow.com/questions/7067966/how-to-allow-cors-in-express-nodejs
var allowCrossDomain = function(req, res, next) {
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');
res.header('Access-Control-Allow-Headers', 'Content-Type, Authorization');
// intercept OPTIONS method
if ('OPTIONS' == req.method) {
res.send(200);
}
else {
next();
}
};
app.use(allowCrossDomain);
@xjamundx

xjamundx commented Jul 2, 2012

Copy link
Copy Markdown

Cool stuff with the 'OPTIONS' hack

@mwawrusch

mwawrusch commented Jan 4, 2013

Copy link
Copy Markdown

You might want to look at https://github.com/agrueneberg/Corser

@skeggse

skeggse commented Nov 20, 2013

Copy link
Copy Markdown

A small note here: a select few versions of Android's native browser, including Gingerbread, will prepend the response body of the OPTIONS call to the response body of the actual call. By default, res.send will include the body 'OK', which causes problems when attempting to parse the body as JSON. To mitigate this issue, use res.send(200, ''), otherwise you'll end up trying to parse 'OK{}'.

@jcready

jcready commented Dec 17, 2013

Copy link
Copy Markdown

You should probably be using res.send(204). The 204 HTTP status indicates "No Content".

@dougwilson

dougwilson commented Feb 16, 2015

Copy link
Copy Markdown

I would like to re-iterate what @mwawrusch says: please look at a module like corser and do not use this; this does not fully comply with the CORS specification, where-as a module like corser does (and less LoC for you to maintain in your app, at that).

@katrotz

katrotz commented Dec 11, 2015

Copy link
Copy Markdown

Don't forget about Access-Control-Allow-Credentials

@yousfiSaad

yousfiSaad commented Feb 4, 2016

Copy link
Copy Markdown

Thank you !

@nicotroia

nicotroia commented Sep 21, 2016
edited
Loading

Copy link
Copy Markdown

FYI for newer versions of Express, you will get a warning saying res.send is deprecated. Use res.sendStatus instead

@givehug

givehug commented Jan 20, 2017

Copy link
Copy Markdown

Thanks again ))

@nickredmark

nickredmark commented Feb 12, 2017

Copy link
Copy Markdown

WARNING: be aware that for authenticated cors requests, Access-Control-Allow-Origin can't be a wildcard '*'
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Credentialed_requests_and_wildcards

@Lonniebiz

Lonniebiz commented Jun 11, 2018

Copy link
Copy Markdown

Works!

@michaelstievenart

michaelstievenart commented Jul 12, 2018

Copy link
Copy Markdown

@Lonniebiz please share a snippet of how you solved it.

@JerryLeeCS

JerryLeeCS commented Aug 1, 2018

Copy link
Copy Markdown

Thank you so much!!!

@kaiferrall

kaiferrall commented Aug 18, 2018

Copy link
Copy Markdown

Thank you!!

@hygull

hygull commented Sep 9, 2018

Copy link
Copy Markdown

Great, it is helpful.

@isaquebc

isaquebc commented Nov 20, 2018
edited
Loading

Copy link
Copy Markdown

Very good!

@Aubizzy

Aubizzy commented Jun 17, 2020

Copy link
Copy Markdown

This is Great stuff. it worked for me

@HarryLit

HarryLit commented Sep 28, 2021

Copy link
Copy Markdown

Great, it works! Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment