Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Enables CORS at the edge, works for Vercel Edge Functions (With the recently announced Next.js Middleware), Deno, Cloudflare Workers, and any environment with Web APIs support, specifically the Fetch API.
This module is a modified version of expressjs/cors, which works for Node.js and should be your way to go if you're looking for Node.js support.
The module is available in npm, and as a Deno module. To install it from npm:
npm i edge-cors
To install it in Deno there are two options, using deno.land/x/edge_cors:
import cors from 'https://deno.land/x/edge_cors@VERSION/src/cors.ts'
And using nest.land/package/edge_cors:
import cors from 'https://x.nest.land/edge_cors@VERSION/src/cors.ts'
import type { NextRequest } from 'next/server'
import cors from 'edge-cors'
export function middleware(req: NextRequest) {
// `cors` also takes care of handling OPTIONS requests
return cors(
req,
new Response(JSON.stringify({ message: 'Hello World!' }), {
status: 200,
headers: { 'Content-Type': 'application/json' },
})
)
}
The full example is available in examples/next, and a live demo in Vercel Examples.
import { listenAndServe } from 'https://deno.land/std/http/server.ts'
import cors from 'https://deno.land/x/edge_cors/src/cors.ts'
console.log('Listening on http://localhost:8080')
await listenAndServe(':8080', (req) => {
// `cors` also takes care of handling OPTIONS requests
return cors(
req,
new Response(JSON.stringify({ message: 'Hello World!' }), {
status: 200,
headers: { 'Content-Type': 'application/json' },
})
)
})
The full example is available in examples/deno.
The signature of the cors
function is the following:
function cors(
req: Request,
res: Response,
options?: CorsOptions | undefined
): Promise<Response>
For reference, the types used in the definition are linked below:
Defined as CorsOptions
in src/cors.ts, including JSDoc comments with the same docs from below. Defaults to:
{
origin: '*',
methods: 'GET,HEAD,PUT,PATCH,POST,DELETE',
preflightContinue: false,
optionsSuccessStatus: 204,
}
origin
The value to match against the Access-Control-Allow-Origin
header in the request. Defaults to '*'
.
It can be a boolean, string, a regular expression, an array of those, or a function that returns one of those.
If set to '*'
all origins will be allowed.
If set to true
then Access-Control-Allow-Origin
will
reflect the origin of the request.
If set to false
then all origins will be denied (Access-Control-Allow-Origin
will not be set).
If set to a regular expression then the request origin will be matched against it.
If set to a function, it will receive the request origin string as the first parameter and the request as the second parameter. It can return a promise.
methods
Customizes the Access-Control-Allow-Methods
header.
It can be a string or an array of strings. Defaults to 'GET,HEAD,PUT,PATCH,POST,DELETE'
.
allowedHeaders
Configures the Access-Control-Allow-Headers
header.
It can be a string or an array of strings. There's no default value (the header is omitted).
exposedHeaders
Configures the Access-Control-Expose-Headers
header.
It can be a string or an array of strings. There's no default value (the header is omitted).
credentials
Configures the Access-Control-Allow-Credentials
header.
It can be a boolean. But the header is only set if it is true
.
There's no default value (the header is omitted).
maxAge
Configures the Access-Control-Max-Age
header.
Its value has to be an integer. There's no default value (the header is omitted).
preflightContinue
If true
, cors
will return the response with updated headers.
If false
, cors
will return a new Response object with the status
code set to the value of optionsSuccessStatus
and a empty body.
Defaults to false
.
optionsSuccessStatus
Status code to use for OPTIONS requests when preflightContinue
is disabled.
Defaults to 204
.
To create a local build of edge-cors
run the following:
npm run build
# or
npm run dev
To run the tests:
npm run test
The tests run with Tape and Node.js. You can also cd into the examples and follow their readmes to use the local build there.
FAQs
CORS for edge workers, works with Next.js Middleware
The npm package edge-cors receives a total of 171 weekly downloads. As such, edge-cors popularity was classified as not popular.
We found that edge-cors demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.