restify-cors-middleware
Advanced tools
CORS middleware with full W3C spec support.
$ npm install restify-cors-middleware --save
const corsMiddleware = require('restify-cors-middleware')
const cors = corsMiddleware({
preflightMaxAge: 5, //Optional
origins: ['http://api.myapp.com', 'http://web.myapp.com'],
allowHeaders: ['API-Token'],
exposeHeaders: ['API-Token-Expiry']
})
server.pre(cors.preflight)
server.use(cors.actual)
You can specify the full list of domains and subdomains allowed in your application, using strings or regular expressions.
origins: [
'http://myapp.com',
'http://*.myapp.com',
/^https?:\/\/myapp.com(:[\d]+)?$/
]
For added security, this middleware sets Access-Control-Allow-Origin to the origin that matched, not the configured wildcard.
This means callers won't know about other domains that are supported.
Setting origins: ['*'] is also valid, although it comes with obvious security implications. Note that it will still return a customised response (matching Origin), so any caching layer (reverse proxy or CDN) will grow in size accordingly.
As per the spec, requests without an Origin will not receive any headers. Requests with a matching Origin will receive the appropriate response headers. Always be careful that any reverse proxies (e.g. Varnish) very their cache depending on the origin, so you don't serve CORS headers to the wrong request.
See unit tests for examples of preflight and actual requests.
FAQs
CORS middleware with full W3C spec support
The npm package restify-cors-middleware receives a total of 4,447 weekly downloads. As such, restify-cors-middleware popularity was classified as popular.
We found that restify-cors-middleware demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
npm now supports Trusted Publishing with OIDC, enabling secure package publishing directly from CI/CD workflows without relying on long-lived tokens.
Research
/Security News
A RubyGems malware campaign used 60 malicious packages posing as automation tools to steal credentials from social media and marketing tool users.
Security News
The CNA Scorecard ranks CVE issuers by data completeness, revealing major gaps in patch info and software identifiers across thousands of vulnerabilities.