Bird
Raised Fist0
Expressframework~10 mins

Configuring allowed origins in Express - Visual Walkthrough

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Concept Flow - Configuring allowed origins
Client sends request
Server receives request
Check Origin header
Origin allowed
Send response
Client receives response
The server checks the request's origin header against allowed origins and either accepts or blocks the request accordingly.
Execution Sample
Express
const express = require('express');
const cors = require('cors');

const app = express();

const allowedOrigins = ['https://example.com', 'https://app.example.com'];

app.use(cors({
  origin: function(origin, callback) {
    if (!origin || allowedOrigins.indexOf(origin) !== -1) {
      callback(null, true);
    } else {
      callback(new Error('Not allowed by CORS'));
    }
  }
}));
This code configures an Express server to accept requests only from specified origins.
Execution Table
StepRequest OriginAllowed OriginsOrigin Allowed?Action Taken
1https://example.com['https://example.com', 'https://app.example.com']YesRequest accepted, response sent
2https://app.example.com['https://example.com', 'https://app.example.com']YesRequest accepted, response sent
3https://malicious.com['https://example.com', 'https://app.example.com']NoRequest blocked, error sent
4No Origin header['https://example.com', 'https://app.example.com']NoRequest blocked, error sent
💡 Requests from origins not in the allowed list are blocked to protect the server.
Variable Tracker
VariableStartAfter Step 1After Step 2After Step 3After Step 4
request.originundefinedhttps://example.comhttps://app.example.comhttps://malicious.comundefined
allowedOrigins['https://example.com', 'https://app.example.com']unchangedunchangedunchangedunchanged
originAllowedfalsetruetruefalsefalse
Key Moments - 2 Insights
Why does a request with no Origin header get blocked?
Because the server checks if the Origin header matches allowed origins. If missing, it cannot verify origin, so it blocks the request as shown in execution_table step 4.
What happens if the request origin is not exactly in the allowed list?
The request is blocked since the origin does not match any allowed origin exactly, as seen in execution_table step 3.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what is the action taken when the request origin is 'https://app.example.com'?
ARequest blocked, error sent
BRequest accepted, response sent
CRequest ignored
DRequest redirected
💡 Hint
Check execution_table row 2 under 'Action Taken'
At which step does the originAllowed variable become false?
AAfter Step 1
BAfter Step 2
CAfter Step 3
DAfter Step 4
💡 Hint
Look at variable_tracker row for originAllowed at After Step 3
If we add 'https://malicious.com' to allowedOrigins, what changes in the execution table?
AStep 3 action changes to request accepted
BStep 4 action changes to request accepted
CNo changes
DAll steps blocked
💡 Hint
Adding to allowedOrigins affects originAllowed and action at step 3
Concept Snapshot
Configuring allowed origins in Express:
Use the cors middleware with an origin option.
Set origin to an array of allowed URLs.
Requests from these origins are accepted.
Others are blocked to protect your server.
No Origin header usually means block.
Full Transcript
This visual execution shows how Express with the cors middleware checks the origin of incoming requests. The server compares the request's Origin header to a list of allowed origins. If the origin matches, the request is accepted and the response is sent. If not, the request is blocked and an error is sent. Requests without an Origin header are also blocked for security. The variable originAllowed tracks if the origin is allowed. This helps prevent unauthorized cross-origin requests.

Practice

(1/5)
1. What is the main purpose of configuring allowed origins in an Express app using cors middleware?
easy
A. To encrypt data sent between client and server
B. To speed up the server response time
C. To control which websites can access your server resources
D. To log all incoming requests

Solution

  1. Step 1: Understand what allowed origins mean

    Allowed origins specify which websites are permitted to make requests to your server.

  2. Step 2: Identify the role of cors middleware

    The cors middleware in Express helps set these allowed origins to control access.

  3. Final Answer:

    To control which websites can access your server resources -> Option C

  4. Quick Check:

    Allowed origins = control access [OK]
Hint: Allowed origins control access, not speed or encryption [OK]
Common Mistakes:
  • Confusing allowed origins with encryption
  • Thinking it speeds up server
  • Assuming it logs requests
2. Which of the following is the correct way to allow only 'https://example.com' as an origin using the cors middleware in Express?
easy
A. app.use(cors({ origin: [https://example.com] }));
B. app.use(cors({ origin: 'https://example.com' }));
C. app.use(cors({ origins: 'https://example.com' }));
D. app.use(cors(https://example.com));

Solution

  1. Step 1: Check the correct option name for allowed origins

    The correct option is origin, not origins.

  2. Step 2: Verify the value type for origin

    It accepts a string for a single allowed origin, so 'https://example.com' is correct.

  3. Final Answer:

    app.use(cors({ origin: 'https://example.com' })); -> Option B

  4. Quick Check:

    Option name is origin, value is string [OK]
Hint: Use 'origin' option with string for single allowed site [OK]
Common Mistakes:
  • Using 'origins' instead of 'origin'
  • Passing array for single origin string
  • Calling cors without options
3. Given this Express code snippet, what will be the result when a request comes from 'https://allowed.com'? 
const cors = require('cors');
app.use(cors({ origin: ['https://allowed.com', 'https://other.com'] }));
medium
A. The request will be allowed because 'https://allowed.com' is in the list
B. The request will be blocked due to invalid origin format
C. The request will be allowed only if it uses POST method
D. The request will be blocked because origin must be a string

Solution

  1. Step 1: Understand the origin option accepts an array

    The origin option can accept an array of allowed origins to permit multiple sites.

  2. Step 2: Check if 'https://allowed.com' is in the array

    Since 'https://allowed.com' is listed, requests from it will be allowed.

  3. Final Answer:

    The request will be allowed because 'https://allowed.com' is in the list -> Option A

  4. Quick Check:

    Array of origins allows listed sites [OK]
Hint: Array of origins lets listed sites access [OK]
Common Mistakes:
  • Thinking origin must be string only
  • Assuming method affects origin check
  • Believing array format causes error
4. Identify the error in this Express CORS setup that aims to allow only 'https://site.com': 
app.use(cors({ origin: 'https://site.com', methods: ['GET', 'POST'] }));
app.use(cors());
medium
A. Calling cors() twice causes conflict and overrides settings
B. The methods option is invalid in cors middleware
C. The origin value should be an array, not a string
D. Missing next() call in middleware

Solution

  1. Step 1: Check middleware usage order

    Calling cors() twice means the second call overrides the first, ignoring origin restrictions.

  2. Step 2: Confirm methods option is valid

    The methods option is valid to restrict HTTP methods, so no error there.

  3. Final Answer:

    Calling cors() twice causes conflict and overrides settings -> Option A

  4. Quick Check:

    Multiple cors calls override previous config [OK]
Hint: Only call cors once with all options [OK]
Common Mistakes:
  • Calling cors middleware multiple times
  • Thinking origin must be array always
  • Ignoring middleware order effects
5. You want to allow requests only from origins that end with '.trusted.com' dynamically in Express. Which cors configuration correctly implements this?
hard
A. app.use(cors({ origin: ['*.trusted.com'] }));
B. app.use(cors({ origin: (origin, callback) => { if (origin.includes('.trusted.com')) callback(null, true); else callback(new Error('Not allowed')); } }));
C. app.use(cors({ origin: '/^https:\/\/.*\.trusted\.com$/' }));
D. app.use(cors({ origin: (origin, callback) => { if (origin.endsWith('.trusted.com')) callback(null, true); else callback(new Error('Not allowed')); } }));

Solution

  1. Step 1: Understand dynamic origin checking

    To allow origins ending with '.trusted.com', a function can check the origin string dynamically.

  2. Step 2: Evaluate each option's approach

    app.use(cors({ origin: (origin, callback) => { if (origin.endsWith('.trusted.com')) callback(null, true); else callback(new Error('Not allowed')); } })); uses a function with endsWith to precisely match the domain ending, which is correct. app.use(cors({ origin: ['*.trusted.com'] })); uses wildcard string which is not supported. app.use(cors({ origin: '/^https:\/\/.*\.trusted\.com$/' })); uses regex but cors does not accept regex directly. app.use(cors({ origin: (origin, callback) => { if (origin.includes('.trusted.com')) callback(null, true); else callback(new Error('Not allowed')); } })); uses includes which may allow unwanted matches.

  3. Final Answer:

    app.use(cors({ origin: (origin, callback) => { if (origin.endsWith('.trusted.com')) callback(null, true); else callback(new Error('Not allowed')); } })); -> Option D

  4. Quick Check:

    Use function with endsWith for dynamic origin [OK]
Hint: Use function with endsWith() to allow domain patterns [OK]
Common Mistakes:
  • Using wildcard strings in origin array
  • Passing regex directly as origin
  • Using includes() instead of endsWith()