Configuring allowed origins helps control which websites can talk to your server. It keeps your app safe by blocking unwanted access.
const cors = require('cors'); const corsOptions = { origin: 'https://example.com', optionsSuccessStatus: 200 }; app.use(cors(corsOptions));
The origin option sets which website is allowed.
You can use a string for one origin or a function/array for multiple origins.
https://mywebsite.com to access your server.app.use(cors({ origin: 'https://mywebsite.com' }));const allowedOrigins = ['https://site1.com', 'https://site2.com']; app.use(cors({ origin: function(origin, callback) { if (!origin || allowedOrigins.includes(origin)) { callback(null, true); } else { callback(new Error('Not allowed by CORS')); } } }));
app.use(cors());
This Express server allows requests only from https://trusted.com and https://partner.com. Others get blocked by CORS.
import express from 'express'; import cors from 'cors'; const app = express(); const allowedOrigins = ['https://trusted.com', 'https://partner.com']; const corsOptions = { origin: (origin, callback) => { if (!origin || allowedOrigins.includes(origin)) { callback(null, true); } else { callback(new Error('Not allowed by CORS')); } } }; app.use(cors(corsOptions)); app.get('/', (req, res) => { res.send('Hello from server!'); }); app.listen(3000, () => { console.log('Server running on port 3000'); });
Remember that CORS only affects browsers. Other clients like Postman are not blocked by CORS.
Always test your allowed origins carefully to avoid blocking your own app.
Configuring allowed origins controls which websites can access your server.
Use the cors middleware with the origin option to set allowed sites.
Test your settings to keep your app safe and working well.