0
0
ExpressHow-ToBeginner · 3 min read

How to Use CORS Middleware in Express: Simple Guide

To use cors middleware in Express, first install it with npm install cors. Then, import it and add app.use(cors()) before your routes to enable cross-origin resource sharing.
📐

Syntax

The cors middleware is a function you add to your Express app using app.use(). You can call it with no arguments to allow all origins, or pass an options object to customize allowed origins, methods, and headers.

  • cors(): Enables CORS with default settings (allow all origins).
  • cors(options): Customize CORS behavior with options like origin, methods, and allowedHeaders.
javascript
import cors from 'cors';

app.use(cors());

// or with options
app.use(cors({ origin: 'https://example.com' }));
💻

Example

This example shows a simple Express server that uses cors middleware to allow requests from any origin. It responds with a JSON message on the root route.

javascript
import express from 'express';
import cors from 'cors';

const app = express();
const port = 3000;

// Enable CORS for all origins
app.use(cors());

app.get('/', (req, res) => {
  res.json({ message: 'CORS is enabled!' });
});

app.listen(port, () => {
  console.log(`Server running on http://localhost:${port}`);
});
Output
Server running on http://localhost:3000
⚠️

Common Pitfalls

Common mistakes when using cors middleware include:

  • Adding cors() after route definitions, which means CORS headers won't be set on those routes.
  • Not specifying allowed origins when you want to restrict access, leading to security risks.
  • Forgetting to install the cors package before importing it.

Always place app.use(cors()) before your routes to ensure headers are sent properly.

javascript
/* Wrong: cors middleware after routes */
app.get('/', (req, res) => {
  res.send('Hello');
});
app.use(cors()); // This won't add CORS headers to '/' route

/* Right: cors middleware before routes */
app.use(cors());
app.get('/', (req, res) => {
  res.send('Hello');
});
📊

Quick Reference

OptionDescriptionExample
originDefines allowed origins (string, array, or function)origin: 'https://example.com'
methodsAllowed HTTP methodsmethods: 'GET,POST'
allowedHeadersAllowed headers in requestsallowedHeaders: 'Content-Type,Authorization'
credentialsAllow cookies and credentialscredentials: true
preflightContinuePass OPTIONS preflight response to next handlerfalse (default)

Key Takeaways

Install and import the cors package before using it in Express.
Use app.use(cors()) before defining routes to enable CORS globally.
Customize CORS by passing options to cors() for better security.
Placing cors middleware after routes will not add CORS headers to those routes.
Test your API with different origins to ensure CORS works as expected.

Related by keyword

How to Create Auth Middleware in Express: Simple GuideAuthenticationHow to Configure CORS in Express: Simple Setup GuideSecurityHow to Use CORS in Express: Simple Setup GuideSecurityHow to Test Middleware in Express: Simple GuideTestingHow to Create Middleware Chain in Express: Simple GuideCommon Patterns

Up next

How to Use Route Prefix in Express for Cleaner RoutesHow to Use Wildcard Route in Express: Syntax and ExamplesHow to Clear Cookie in Express: Simple GuideHow to Download File in Express: Simple Guide

More in Middleware

How to Create Custom Middleware in Express: Simple GuideHow to Create Middleware in Express: Simple GuideHow to Skip Middleware in Express: Simple GuideHow to Use app.use in Express: Middleware Setup Explained