Skip to content

Instantly share code, notes, and snippets.

@cuppster
Created April 9, 2012 16:02
Show Gist options
  • Star 81 You must be signed in to star a gist
  • Fork 15 You must be signed in to fork a gist
  • Save cuppster/2344435 to your computer and use it in GitHub Desktop.
Save cuppster/2344435 to your computer and use it in GitHub Desktop.
express.js middleware to support CORS pre-flight requests
app.use(express.methodOverride());
// ## CORS middleware
//
// see: http://stackoverflow.com/questions/7067966/how-to-allow-cors-in-express-nodejs
var allowCrossDomain = function(req, res, next) {
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');
res.header('Access-Control-Allow-Headers', 'Content-Type, Authorization');
// intercept OPTIONS method
if ('OPTIONS' == req.method) {
res.send(200);
}
else {
next();
}
};
app.use(allowCrossDomain);
@skeggse
Copy link

skeggse commented Nov 20, 2013

A small note here: a select few versions of Android's native browser, including Gingerbread, will prepend the response body of the OPTIONS call to the response body of the actual call. By default, res.send will include the body 'OK', which causes problems when attempting to parse the body as JSON. To mitigate this issue, use res.send(200, ''), otherwise you'll end up trying to parse 'OK{}'.

@jcready
Copy link

jcready commented Dec 17, 2013

You should probably be using res.send(204). The 204 HTTP status indicates "No Content".

@dougwilson
Copy link

I would like to re-iterate what @mwawrusch says: please look at a module like corser and do not use this; this does not fully comply with the CORS specification, where-as a module like corser does (and less LoC for you to maintain in your app, at that).

@katrotz
Copy link

katrotz commented Dec 11, 2015

Don't forget about Access-Control-Allow-Credentials

@yousfiSaad
Copy link

Thank you !

@nicotroia
Copy link

nicotroia commented Sep 21, 2016

FYI for newer versions of Express, you will get a warning saying res.send is deprecated. Use res.sendStatus instead

@givehug
Copy link

givehug commented Jan 20, 2017

Thanks again ))

@nickredmark
Copy link

WARNING: be aware that for authenticated cors requests, Access-Control-Allow-Origin can't be a wildcard '*'
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Credentialed_requests_and_wildcards

@Lonniebiz
Copy link

Works!

@michaelstievenart
Copy link

@Lonniebiz please share a snippet of how you solved it.

@JerryLeeCS
Copy link

Thank you so much!!!

@kaiferrall
Copy link

Thank you!!

@hygull
Copy link

hygull commented Sep 9, 2018

Great, it is helpful.

@isaquebc
Copy link

isaquebc commented Nov 20, 2018

Very good!

@Aubizzy
Copy link

Aubizzy commented Jun 17, 2020

This is Great stuff. it worked for me

@HarryLit
Copy link

Great, it works! Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment