🚀 Big News:Socket Has Acquired Secure Annex.Learn More
Socket
Book a DemoSign in
Socket
Book a DemoSign in

@elysiajs/cors

Package Overview
Dependencies
Maintainers
1
Versions
48
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@elysiajs/cors

Elysia plugin to support Cross Origin Requests (CORs)

latest
Source
npmnpm
Version
1.4.2
Version published
Weekly downloads
219K
-20.25%
Maintainers
1
Weekly downloads
 
Created
Source

@elysia/cors

Elysia to support Cross Origin Requests (CORs)

Installation

bun add @elysia/cors

Example

import { Elysia } from 'elysia'
import { cors } from '@elysia/cors'

const app = new Elysia()
    .use(cors())
    .listen(8080)

Config

origin

@default true

Assign the Access-Control-Allow-Origin header.

Value can be one of the following:

  • string - String of origin which will directly assign to Access-Control-Allow-Origin

  • boolean - If set to true, Access-Control-Allow-Origin will be set to * (accept all origin)

  • RegExp - Pattern to use to test with request's url, will accept origin if matched.

  • Function - Custom logic to validate origin acceptance or not. will accept origin if true is returned.

    • Function will accepts Context just like Handler
    // Example usage
app.use(cors, {
    origin: ({ request, headers }) => true
})

// Type Definition
type CORSOriginFn = (context: Context) => boolean | void

  • Array<string | RegExp | Function> - Will try to find truthy value of all options above. Will accept Request if one is true.

methods

@default *

Assign Access-Control-Allow-Methods header.

Value can be one of the following: Accept:

  • undefined | null | '' - Ignore all methods.

  • * - Accept all methods.

  • HTTPMethod - Will be directly set to Access-Control-Allow-Methods.

    • Expects either a single method or a comma-delimited string (eg: 'GET, PUT, POST')

  • HTTPMethod[] - Allow multiple HTTP methods.

    • eg: ['GET', 'PUT', 'POST']

allowedHeaders

@default *

Assign Access-Control-Allow-Headers header.

Allow incoming request with the specified headers.

Value can be one of the following:

  • string

    • Expects either a single method or a comma-delimited string (eg: 'Content-Type, Authorization').

  • string[] - Allow multiple HTTP methods.

    • eg: ['Content-Type', 'Authorization']

exposedHeaders

@default *

Assign Access-Control-Exposed-Headers header.

Return the specified headers to request in CORS mode.

Value can be one of the following:

  • string

    • Expects either a single method or a comma-delimited string (eg: 'Content-Type, 'X-Powered-By').

  • string[] - Allow multiple HTTP methods.

    • eg: ['Content-Type', 'X-Powered-By']

credentials

@default true

Assign Access-Control-Allow-Credentials header.

Allow incoming requests to send credentials header.

  • boolean - Available if set to true.

maxAge

@default 5

Assign Access-Control-Max-Age header.

Allow incoming requests to send credentials header.

  • number - Duration in seconds to indicates how long the results of a preflight request can be cached.

preflight

@default true

Add [OPTIONS] /* handler to handle preflight request which response with HTTP 204 and CORS hints.

  • boolean - Available if set to true.

Keywords

elysia
cors

FAQs

Package last updated on 23 Apr 2026

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Socket Releases Free Certified Patches for Critical vm2 Sandbox Escape

Security News

Socket Releases Free Certified Patches for Critical vm2 Sandbox Escape

A critical vm2 sandbox escape can allow untrusted JavaScript to break isolation and execute commands on the host Node.js process.

By Wenxin Jiang, Marvin Fleischer, Jonah Ghebremichael  -  May 08, 2026