CORS in Node.js: 3 Practical Examples

Explore three practical examples of implementing CORS in a Node.js application to enhance your web security.
By Jamie

Understanding CORS in Node.js

Cross-Origin Resource Sharing (CORS) is a security feature that allows or restricts resources requested from a domain outside the domain from which the first resource was served. In a Node.js application, correctly implementing CORS is crucial for ensuring your application can interact with resources from different origins while maintaining security protocols. Here are three diverse, practical examples of implementing CORS in a Node.js application to suit various use cases.

Example 1: Basic CORS Setup with Express

Context

This example demonstrates a simple setup of CORS in a Node.js application using the Express framework. It is suitable for applications that need to allow requests from specific origins.

const express = require('express');
const cors = require('cors');

const app = express();

// Enable CORS for specific origin
app.use(cors({ origin: 'https://example.com' }));

app.get('/data', (req, res) => {
    res.json({ message: 'This is CORS-enabled for only example.com!' });
});

const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
    console.log(`Server running on port ${PORT}`);
});

Notes

  • This setup allows only requests from https://example.com. You can modify the origin option to include multiple domains or use a function to determine the allowed origins dynamically.

Example 2: Allowing Multiple Origins

Context

In this example, we will allow multiple origins to access the Node.js application. This is useful for applications that need to be accessible from various domains, such as different client applications.

const express = require('express');
const cors = require('cors');

const app = express();

const allowedOrigins = ['https://example.com', 'https://another-example.com'];
app.use(cors({
    origin: function (origin, callback) {
        if (!origin || allowedOrigins.indexOf(origin) !== -1) {
            callback(null, origin);
        } else {
            callback(new Error('Not allowed by CORS')); 
        }
    }
}));

app.get('/data', (req, res) => {
    res.json({ message: 'This is CORS-enabled for multiple origins!' });
});

const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
    console.log(`Server running on port ${PORT}`);
});

Notes

  • Using a function to specify allowed origins provides flexibility. Ensure that you handle the callback correctly to prevent unauthorized access.

Example 3: Enabling CORS with Credentials

Context

This example demonstrates how to enable CORS with credentials, allowing cookies and HTTP authentication to be included in cross-origin requests. This is essential for applications that require user authentication.

const express = require('express');
const cors = require('cors');

const app = express();

app.use(cors({
    origin: 'https://example.com',
    credentials: true // Allow credentials to be sent
}));

app.get('/data', (req, res) => {
    res.json({ message: 'This is CORS-enabled with credentials!' });
});

// Example route to handle login
app.post('/login', (req, res) => {
    // Login logic here
    res.cookie('sessionId', 'abc123', { httpOnly: true });
    res.json({ message: 'Logged in!' });
});

const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
    console.log(`Server running on port ${PORT}`);
});

Notes

  • Make sure to configure the client-side to include credentials in the requests (e.g., using fetch with credentials: 'include'). This setup ensures that sensitive data can be securely shared across origins.