Installations
npm install corsDeveloper Guide
BETA
Typescript
No
Module System
CommonJS
Min. Node Version
>= 0.10
Node Version
8.12.0
NPM Version
6.4.1
Score
98.6
Supply Chain
99.5
Quality
79.4
Maintenance
100
Vulnerability
100
License
Releases
Unable to fetch releases
Contributors
72
Languages
1
JavaScript
JavaScript (100%)
Developer
expressjs
Download Statistics
Total Downloads
2,200,523,313
Last Day
557,189
Last Week
12,658,568
Last Month
54,058,547
Last Year
607,473,355
GitHub Statistics
6,076 Stars
324 Commits
471 Forks
85 Watching
2 Branches
72 Contributors
Bundle Size
4.32 kB
Minified
1.78 kB
Minified + Gzipped
Maintainers
1
Package Meta Information
Latest Version
2.8.5
Package Id
cors@2.8.5
Size
6.03 kB
NPM Version
6.4.1
Node Version
8.12.0
Publised On
04 Nov 2018
Total Downloads
Cumulative downloads
Total Downloads
2,200,523,313
Last day
-8.4%
557,189
Compared to previous day
Last week
-4.9%
12,658,568
Compared to previous week
Last month
-6.6%
54,058,547
Compared to previous month
Last year
17.3%
607,473,355
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Versions
cors
CORS is a node.js package for providing a Connect/Express middleware that can be used to enable CORS with various options.
Follow me (@troygoode) on Twitter!
Installation
This is a Node.js module available through the
npm registry. Installation is done using the
npm install command:
1$ npm install cors
Usage
Simple Usage (Enable All CORS Requests)
1var express = require('express') 2var cors = require('cors') 3var app = express() 4 5app.use(cors()) 6 7app.get('/products/:id', function (req, res, next) { 8 res.json({msg: 'This is CORS-enabled for all origins!'}) 9}) 10 11app.listen(80, function () { 12 console.log('CORS-enabled web server listening on port 80') 13})
Enable CORS for a Single Route
1var express = require('express') 2var cors = require('cors') 3var app = express() 4 5app.get('/products/:id', cors(), function (req, res, next) { 6 res.json({msg: 'This is CORS-enabled for a Single Route'}) 7}) 8 9app.listen(80, function () { 10 console.log('CORS-enabled web server listening on port 80') 11})
Configuring CORS
1var express = require('express') 2var cors = require('cors') 3var app = express() 4 5var corsOptions = { 6 origin: 'http://example.com', 7 optionsSuccessStatus: 200 // some legacy browsers (IE11, various SmartTVs) choke on 204 8} 9 10app.get('/products/:id', cors(corsOptions), function (req, res, next) { 11 res.json({msg: 'This is CORS-enabled for only example.com.'}) 12}) 13 14app.listen(80, function () { 15 console.log('CORS-enabled web server listening on port 80') 16})
Configuring CORS w/ Dynamic Origin
1var express = require('express') 2var cors = require('cors') 3var app = express() 4 5var whitelist = ['http://example1.com', 'http://example2.com'] 6var corsOptions = { 7 origin: function (origin, callback) { 8 if (whitelist.indexOf(origin) !== -1) { 9 callback(null, true) 10 } else { 11 callback(new Error('Not allowed by CORS')) 12 } 13 } 14} 15 16app.get('/products/:id', cors(corsOptions), function (req, res, next) { 17 res.json({msg: 'This is CORS-enabled for a whitelisted domain.'}) 18}) 19 20app.listen(80, function () { 21 console.log('CORS-enabled web server listening on port 80') 22})
If you do not want to block REST tools or server-to-server requests,
add a !origin check in the origin function like so:
1var corsOptions = { 2 origin: function (origin, callback) { 3 if (whitelist.indexOf(origin) !== -1 || !origin) { 4 callback(null, true) 5 } else { 6 callback(new Error('Not allowed by CORS')) 7 } 8 } 9}
Enabling CORS Pre-Flight
Certain CORS requests are considered 'complex' and require an initial
OPTIONS request (called the "pre-flight request"). An example of a
'complex' CORS request is one that uses an HTTP verb other than
GET/HEAD/POST (such as DELETE) or that uses custom headers. To enable
pre-flighting, you must add a new OPTIONS handler for the route you want
to support:
1var express = require('express') 2var cors = require('cors') 3var app = express() 4 5app.options('/products/:id', cors()) // enable pre-flight request for DELETE request 6app.del('/products/:id', cors(), function (req, res, next) { 7 res.json({msg: 'This is CORS-enabled for all origins!'}) 8}) 9 10app.listen(80, function () { 11 console.log('CORS-enabled web server listening on port 80') 12})
You can also enable pre-flight across-the-board like so:
1app.options('*', cors()) // include before other routes
Configuring CORS Asynchronously
1var express = require('express') 2var cors = require('cors') 3var app = express() 4 5var whitelist = ['http://example1.com', 'http://example2.com'] 6var corsOptionsDelegate = function (req, callback) { 7 var corsOptions; 8 if (whitelist.indexOf(req.header('Origin')) !== -1) { 9 corsOptions = { origin: true } // reflect (enable) the requested origin in the CORS response 10 } else { 11 corsOptions = { origin: false } // disable CORS for this request 12 } 13 callback(null, corsOptions) // callback expects two parameters: error and options 14} 15 16app.get('/products/:id', cors(corsOptionsDelegate), function (req, res, next) { 17 res.json({msg: 'This is CORS-enabled for a whitelisted domain.'}) 18}) 19 20app.listen(80, function () { 21 console.log('CORS-enabled web server listening on port 80') 22})
Configuration Options
origin: Configures the Access-Control-Allow-Origin CORS header. Possible values:Boolean- setorigintotrueto reflect the request origin, as defined byreq.header('Origin'), or set it tofalseto disable CORS.String- setoriginto a specific origin. For example if you set it to"http://example.com"only requests from "http://example.com" will be allowed.RegExp- setoriginto a regular expression pattern which will be used to test the request origin. If it's a match, the request origin will be reflected. For example the pattern/example\.com$/will reflect any request that is coming from an origin ending with "example.com".Array- setoriginto an array of valid origins. Each origin can be aStringor aRegExp. For example["http://example1.com", /\.example2\.com$/]will accept any request from "http://example1.com" or from a subdomain of "example2.com".Function- setoriginto a function implementing some custom logic. The function takes the request origin as the first parameter and a callback (which expects the signatureerr [object], allow [bool]) as the second.
methods: Configures the Access-Control-Allow-Methods CORS header. Expects a comma-delimited string (ex: 'GET,PUT,POST') or an array (ex:['GET', 'PUT', 'POST']).allowedHeaders: Configures the Access-Control-Allow-Headers CORS header. Expects a comma-delimited string (ex: 'Content-Type,Authorization') or an array (ex:['Content-Type', 'Authorization']). If not specified, defaults to reflecting the headers specified in the request's Access-Control-Request-Headers header.exposedHeaders: Configures the Access-Control-Expose-Headers CORS header. Expects a comma-delimited string (ex: 'Content-Range,X-Content-Range') or an array (ex:['Content-Range', 'X-Content-Range']). If not specified, no custom headers are exposed.credentials: Configures the Access-Control-Allow-Credentials CORS header. Set totrueto pass the header, otherwise it is omitted.maxAge: Configures the Access-Control-Max-Age CORS header. Set to an integer to pass the header, otherwise it is omitted.preflightContinue: Pass the CORS preflight response to the next handler.optionsSuccessStatus: Provides a status code to use for successfulOPTIONSrequests, since some legacy browsers (IE11, various SmartTVs) choke on204.
The default configuration is the equivalent of:
1{ 2 "origin": "*", 3 "methods": "GET,HEAD,PUT,PATCH,POST,DELETE", 4 "preflightContinue": false, 5 "optionsSuccessStatus": 204 6}
For details on the effect of each CORS header, read this article on HTML5 Rocks.
Demo
A demo that illustrates CORS working (and not working) using jQuery is available here: http://node-cors-client.herokuapp.com/
Code for that demo can be found here:
- Client: https://github.com/TroyGoode/node-cors-client
- Server: https://github.com/TroyGoode/node-cors-server
License
Author
No vulnerabilities found.
Reason
no binaries found in the repo
Reason
8 different organizations found -- score normalized to 10
Details
- Info: contributors work for ExpressGateway,crypto-utils,expressjs,founder @trycourier,mysqljs,nodejs,repo-utils,stream-utils
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
- Info: License file found in expected location: LICENSE:1
- Info: FSF or OSI recognized license: LICENSE:1
Reason
no vulnerabilities detected
Reason
1 commit(s) out of 30 and 3 issue activity out of 30 found in the last 90 days -- score normalized to 3
Reason
found 23 unreviewed changesets out of 30 -- score normalized to 2
Reason
dependency not pinned by hash detected -- score normalized to 2
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:77: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/cors/ci.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:135: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/cors/ci.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:147: update your workflow using https://app.stepsecurity.io/secureworkflow/expressjs/cors/ci.yml/master?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:95
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:111
- Info: 3 out of 4 GitHub-owned GitHubAction dependencies pinned
- Info: 1 out of 3 third-party GitHubAction dependencies pinned
- Info: 0 out of 2 npmCommand dependencies pinned
Reason
1 out of 7 merged PRs checked by a CI test -- score normalized to 1
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'master'
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
no update tool detected
Details
- Warn: tool 'RenovateBot' is not used: Follow the instructions from https://docs.renovatebot.com/configuration-options/. (Low effort)
- Warn: tool 'Dependabot' is not used: Follow the instructions from https://docs.github.com/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates. (Low effort)
- Warn: tool 'PyUp' is not used: Follow the instructions from https://docs.pyup.io/docs. (Low effort)
- Warn: tool 'Sonatype Lift' is not used: Follow the instructions from https://help.sonatype.com/lift/getting-started. (Low effort)
Reason
project is not fuzzed
Details
- Warn: no OSSFuzz integration found: Follow the steps in https://github.com/google/oss-fuzz to integrate fuzzing for your project. Over time, try to add fuzzing for more functionalities of your project. (High effort)
- Warn: no OneFuzz integration found: Follow the steps in https://github.com/microsoft/onefuzz to start fuzzing for your project. Over time, try to add fuzzing for more functionalities of your project. (High effort)
- Warn: no GoBuiltInFuzzer integration found: Follow the steps in https://go.dev/doc/fuzz/ to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no PythonAtherisFuzzer integration found: Follow the steps in https://github.com/google/atheris to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no CLibFuzzer integration found: Follow the steps in https://llvm.org/docs/LibFuzzer.html to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no CppLibFuzzer integration found: Follow the steps in https://llvm.org/docs/LibFuzzer.html to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no SwiftLibFuzzer integration found: Follow the steps in https://google.github.io/oss-fuzz/getting-started/new-project-guide/swift-lang/ to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no RustCargoFuzzer integration found: Follow the steps in https://rust-fuzz.github.io/book/cargo-fuzz.html to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no JavaJazzerFuzzer integration found: Follow the steps in https://github.com/CodeIntelligenceTesting/jazzer to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no ClusterFuzzLite integration found: Follow the steps in https://github.com/google/clusterfuzzlite to integrate fuzzing as part of CI. Over time, try to add fuzzing for more functionalities of your project. (High effort)
- Warn: no HaskellPropertyBasedTesting integration found: Use one of the following frameworks to fuzz your project: QuickCheck: https://hackage.haskell.org/package/QuickCheck hedgehog: https://hedgehog.qa/ validity: https://github.com/NorfairKing/validity smallcheck: https://hackage.haskell.org/package/smallcheck hspec: https://hspec.github.io/ tasty: https://hackage.haskell.org/package/tasty (High effort)
- Warn: no TypeScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)
- Warn: no JavaScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 7 are checked with a SAST tool
- Warn: CodeQL tool not detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected: On GitHub: Enable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository Add a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities. On GitLab: Add a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project. Examples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. For additional information on vulnerability disclosure, see https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md. (Medium effort)
- Warn: no security file to analyze: On GitHub: Enable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository Add a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities. On GitLab: Provide a point of contact in your SECURITY.md. Examples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)
- Warn: no security file to analyze: On GitHub: Enable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository Add a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities. On GitLab: Add a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project. Examples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)
- Warn: no security file to analyze: On GitHub: Enable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository Add a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities. On GitLab: Add a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project. Examples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/ci.yml:1: Visit https://app.stepsecurity.io/secureworkflow/expressjs/cors/ci.yml/master?enable=permissions Tick the 'Restrict permissions for GITHUB_TOKEN' Untick other options NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)
- Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:19
- Info: no jobLevel write permissions found
Score
3.8
/10
Last Scanned on 2024-12-23T21:22:13Z
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More