Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
express.js middleware to support CORS pre-flight requests
app.use(express.methodOverride());
// ## CORS middleware
//
// see: http://stackoverflow.com/questions/7067966/how-to-allow-cors-in-express-nodejs
var allowCrossDomain = function(req, res, next) {
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');
res.header('Access-Control-Allow-Headers', 'Content-Type, Authorization');
// intercept OPTIONS method
if ('OPTIONS' == req.method) {
res.send(200);
}
else {
next();
}
};
app.use(allowCrossDomain);
@xjamundx
Copy link

xjamundx commented Jul 2, 2012

Cool stuff with the 'OPTIONS' hack

@mwawrusch
Copy link

mwawrusch commented Jan 4, 2013

You might want to look at https://github.com/agrueneberg/Corser

@skeggse
Copy link

skeggse commented Nov 20, 2013

A small note here: a select few versions of Android's native browser, including Gingerbread, will prepend the response body of the OPTIONS call to the response body of the actual call. By default, res.send will include the body 'OK', which causes problems when attempting to parse the body as JSON. To mitigate this issue, use res.send(200, ''), otherwise you'll end up trying to parse 'OK{}'.

@jcready
Copy link

jcready commented Dec 17, 2013

You should probably be using res.send(204). The 204 HTTP status indicates "No Content".

@dougwilson
Copy link

dougwilson commented Feb 16, 2015

I would like to re-iterate what @mwawrusch says: please look at a module like corser and do not use this; this does not fully comply with the CORS specification, where-as a module like corser does (and less LoC for you to maintain in your app, at that).

@katrotz
Copy link

katrotz commented Dec 11, 2015

Don't forget about Access-Control-Allow-Credentials

@yousfiSaad
Copy link

yousfiSaad commented Feb 4, 2016

Thank you !

@nicotroia
Copy link

nicotroia commented Sep 21, 2016

FYI for newer versions of Express, you will get a warning saying res.send is deprecated. Use res.sendStatus instead

@givehug
Copy link

givehug commented Jan 20, 2017

Thanks again ))

@nickredmark
Copy link

nickredmark commented Feb 12, 2017

WARNING: be aware that for authenticated cors requests, Access-Control-Allow-Origin can't be a wildcard '*'
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Credentialed_requests_and_wildcards

@Lonniebiz
Copy link

Lonniebiz commented Jun 11, 2018

Works!

@michaelstievenart
Copy link

michaelstievenart commented Jul 12, 2018

@Lonniebiz please share a snippet of how you solved it.

@JerryLeeCS
Copy link

JerryLeeCS commented Aug 1, 2018

Thank you so much!!!

@kaiferrall
Copy link

kaiferrall commented Aug 18, 2018

Thank you!!

@hygull
Copy link

hygull commented Sep 9, 2018

Great, it is helpful.

@isaquebc
Copy link

isaquebc commented Nov 20, 2018

Very good!

@Aubizzy
Copy link

Aubizzy commented Jun 17, 2020

This is Great stuff. it worked for me

@HarryLit
Copy link

HarryLit commented Sep 28, 2021

Great, it works! Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment