TLDR: In the example, I just want to make it so that /users/delete cannot be called by anything outside of my React app.
I have a bunch of routes for the backend API of my app that uses Express:
ie. server.js
app.get('/invoices/read', async (req, res) => {
// gather data from db
res.json({...data})
})
I have cors enabled globally like so:
server.js
app.use(function(req, res, next) {
res.header('Access-Control-Allow-Origin', '*');
res.header(
'Access-Control-Allow-Headers',
'Origin, X-Requested-With, Content-Type, Accept'
);
next();
});
So, my question is, how would I disable CORS for a single route such as this
app.post('/users/delete', async (req, res) => {
// delete user out of database
res.sendStatus(200)
})
without rewriting all of my routes to something like this:
var cors = require('cors');
app.get('/invoices/read', cors(), async (req, res) => {
// gather data from db
res.json({...data})
})
So that a user can't just make a POST request to /users/delete using an arbitrary ID in an attempt to delete a user out of my system?
Do I need to just include the origin in my headers or do I need to disable CORS for that route?
- In the past, I've had trouble getting a string of origins to work using the
Access-Control-Allow-Originheader.
TLDR: In the example, I just want to make it so that /users/delete cannot be called by anything outside of my React app.
I have a bunch of routes for the backend API of my app that uses Express:
ie. server.js
app.get('/invoices/read', async (req, res) => {
// gather data from db
res.json({...data})
})
I have cors enabled globally like so:
server.js
app.use(function(req, res, next) {
res.header('Access-Control-Allow-Origin', '*');
res.header(
'Access-Control-Allow-Headers',
'Origin, X-Requested-With, Content-Type, Accept'
);
next();
});
So, my question is, how would I disable CORS for a single route such as this
app.post('/users/delete', async (req, res) => {
// delete user out of database
res.sendStatus(200)
})
without rewriting all of my routes to something like this:
var cors = require('cors');
app.get('/invoices/read', cors(), async (req, res) => {
// gather data from db
res.json({...data})
})
So that a user can't just make a POST request to /users/delete using an arbitrary ID in an attempt to delete a user out of my system?
Do I need to just include the origin in my headers or do I need to disable CORS for that route?
- In the past, I've had trouble getting a string of origins to work using the
Access-Control-Allow-Originheader.
- Just put the one route BEFORE your middleware that enables CORS. Then, the CORS headers will not be present when serving that route. – jfriend00 Commented Jun 21, 2020 at 22:14
3 Answers
Reset to default 11Override the header only on the route you want to "disable" it:
res.set('Access-Control-Allow-Origin', 'alloweddomain.com')
If you need to allow more than one domain, you can make a list of allowed domains and check if the origin is included there:
const allowedDomains = ['allowedomain1.com', 'alloweddomain2.com'];
const origin = req.get('origin');
if (allowedDomains.includes(origin)) {
res.set('Access-Control-Allow-Origin', origin);
}
One other solution I've found:
On the global invocation of app.use(cors()), you can add the option preflightContinue: true, and that should allow follow-up middleware on the specific page to override it.
In the top-level config
app.use(
cors({
origin: 'http://localhost:9001',
// Allow follow-up middleware to override this CORS for options
preflightContinue: true,
}),
);
In my specific route declaration
router.options('/myRoute', cors(myRouteOptions));
router.post(
'/myRoute',
cors(myRouteOptions),
async (req, res) => {
// ...
},
);
Using Express router and cors module:
// Define the router
const v1 = express.Router();
// Initiate express app
const api = express();
const corsOptions = {
origin: '*',
methods: [],
allowedHeaders: [],
exposedHeaders: [],
credentials: true
};
// Define subroutes here
v1.get('/list', (req, res) => { // action implementation here})
// Define cors per route
v1.all('/list', cors(corsOptions));
// Add the router to express
api.use('/', v1);
Or using a cors middleware
v1.get('/list', cors(corsOptions), (req, res) => { // action implementation here})
Both should work, I hope this helps.