Back to Agent Skills
Security & Quality
CORS Configuration
Configure Cross-Origin Resource Sharing headers to control which domains can access your API endpoints.
Claude Code Cursor Copilot Windsurf Gemini CLI Codex
Overview
The cors middleware for Express.js provides a simple way to enable and configure Cross-Origin Resource Sharing (CORS) headers. CORS is a browser security mechanism that restricts how web pages can make requests to different domains. Without proper CORS configuration, browsers will block frontend applications from calling your API if they are hosted on different origins.
The middleware supports both simple and preflight requests, handling OPTIONS preflight automatically. You can configure allowed origins (specific domains, regex patterns, or dynamic functions), allowed methods (GET, POST, PUT, DELETE), allowed headers, exposed headers, credentials support, and max-age for preflight caching. The configuration can be applied globally or per-route.
Proper CORS configuration is critical for security. Overly permissive settings (like allowing all origins with credentials) can expose your API to cross-site request forgery attacks. The middleware supports dynamic origin validation, allowing you to check origins against a database or allowlist at runtime, which is essential for multi-tenant applications.
The middleware supports both simple and preflight requests, handling OPTIONS preflight automatically. You can configure allowed origins (specific domains, regex patterns, or dynamic functions), allowed methods (GET, POST, PUT, DELETE), allowed headers, exposed headers, credentials support, and max-age for preflight caching. The configuration can be applied globally or per-route.
Proper CORS configuration is critical for security. Overly permissive settings (like allowing all origins with credentials) can expose your API to cross-site request forgery attacks. The middleware supports dynamic origin validation, allowing you to check origins against a database or allowlist at runtime, which is essential for multi-tenant applications.
Who Is This For?
- Allow a React frontend to call an Express API on a different port
- Configure CORS for specific domains in production
- Enable credentials (cookies) for cross-origin requests
- Set up per-route CORS policies for public vs private endpoints
Installation
Setup for Claude Code
npm install cors && npm install -D @types/corsConfiguration
import cors from "cors"
app.use(cors({
origin: ["https://myapp.com", "https://admin.myapp.com"],
methods: ["GET", "POST", "PUT", "DELETE"],
credentials: true,
maxAge: 86400,
}))Explore AI Tools
Discover the best AI tools that complement your skills
Read AI & Design Articles
Tips and trends in the world of design and AI
Related Skills
Security & Quality
Snyk Security Scan
Detect vulnerabilities in your dependencies and application code. Get actionable remediation advice and automatic fix pull requests.
Claude Code Codex Copilot
Security & Quality SonarQube Code Quality
Run continuous code quality and security analysis to catch bugs, code smells, and vulnerabilities before they reach production.
Claude Code Codex Copilot
Security & Quality OWASP ZAP Security Testing
Perform automated web application security testing to find common vulnerabilities like XSS, injection flaws, and misconfigurations.
Claude Code Codex