Security & Networking

CORS Basics

Cross-Origin Resource Sharing configuration and headers.

CORS Headers

# Allow origin
Access-Control-Allow-Origin: https://example.com
Access-Control-Allow-Origin: *

# Allow methods
Access-Control-Allow-Methods: GET, POST, PUT, DELETE

# Allow headers
Access-Control-Allow-Headers: Content-Type, Authorization

# Allow credentials
Access-Control-Allow-Credentials: true

Preflight Request

# Browser sends OPTIONS
OPTIONS /api/data
Origin: https://frontend.com
Access-Control-Request-Method: POST

# Server responds
Access-Control-Allow-Origin: https://frontend.com
Access-Control-Allow-Methods: POST
Access-Control-Max-Age: 86400

Express.js CORS

# Using cors middleware
const cors = require("cors");

app.use(cors());

# Specific origin
app.use(cors({
    origin: "https://example.com",
    credentials: true
}));

Manual CORS Headers

# Node.js
res.setHeader("Access-Control-Allow-Origin", "*");
res.setHeader("Access-Control-Allow-Methods", "GET, POST");

# Handle preflight
if (req.method === "OPTIONS") {
    res.status(204).end();
}