Skip to content
Lunatic

CORS

cors is a middleware that implements CORS.

import { cors } from '@shelepuginivan/lunatic'


app.use(cors())


app.post('/', (req, res) => {
    res.status(200).json({ message: 'now CORS is supported!' })
})


app.listen(8000)

cors is a configurable middleware, meaning that it accepts options object:

import { cors, CorsOptions } from '@shelepuginivan/lunatic'


const corsOptions: CorsOptions = {
    origin: 'http://localhost:3000',
    credentials: true,
}


app.use(cors(corsOptions))


app.post('/', (req, res) => {
    res.status(200).json({ message: 'now CORS is supported!' })
})


app.listen(8000)

Configuration options

origin

Allowed request origins. The behavior depends on the type of the argument provided.

  • booleantrue enables CORS for all origins, false disables CORS
  • string — a specific origin, e.g. http://localhost:3000
  • RegExp — all origins that match against the given regular expression
  • string[] — all origins that are present in the list
  • RegExp[] — all origins that match against one of the given regular expressions
  • (origin: string) => boolean — a predicate function that reports whether origin is allowed

Default: "*" (enables CORS for all origins).

methods

Allowed request methods. The behavior depends on the type of the argument provided.

  • HttpMethod — specific HTTP method
  • HttpMethod[] — any of the HTTP method from the list

allowedHeaders

Allowed request headers. The behavior depends on the type of the argument provided.

  • string — a specific header
  • string[] - all headers that present in the list

credentials

Whether to allow credentials. Accepts a boolean.

Note that if origin is set to * (as by default), credentials won’t be included

exposedHeaders

Response headers that can be accessed in browser JavaScript. The behavior depends on the type of the argument provided.

  • string — a specific header
  • string[] - all headers that present in the list

maxAge

Configures Access-Control-Max-Age header. Accepts a number, which is a value in seconds.

corsErrorStatus

Response status if CORS is not allowed for this request. Accepts a number.

Default: 403

preflightSuccessStatus

Response status for preflight OPTIONS request. Accepts a number.

Default: 204