CorsOptions

View Source

Summary

Options for CORS middleware.

Signature

interface CorsOptions {
  allowedHeaders?: readonly string[] | CorsAllowedHeadersResolver;
  allowPrivateNetwork?: boolean;
  credentials?: boolean;
  exposedHeaders?: readonly string[];
  maxAge?: number;
  methods?: readonly string[];
  origin?: CorsOrigin;
  preflightContinue?: boolean;
  preflightStatusCode?: number;
}

Properties

allowedHeaders

Allowed request headers for preflight responses.

Defaults to reflecting Access-Control-Request-Headers.

allowPrivateNetwork

Include Access-Control-Allow-Private-Network: true when requested.

credentials

Include Access-Control-Allow-Credentials: true.

exposedHeaders

Exposed response headers for non-preflight requests.

maxAge

Access-Control-Max-Age value for preflight responses (seconds).

methods

Allowed methods for preflight responses.

origin

Allowed origins. Defaults to '*'.

• true reflects the request Origin
• false disables CORS headers
• '*' allows all origins
• string/RegExp/array allow matching origins
• function allows dynamic origin checks

preflightContinue

Continue to downstream handlers for preflight requests.

preflightStatusCode

Status code to use when short-circuiting preflight responses.