How do I allow multiple domains for CORS in express in a simplified way.
I have
cors: { origin: "www.one.com"; } app.all('*', function(req, res, next) { res.header("Access-Control-Allow-Origin", cors.origin); res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept"); next(); });
This works when there is only one domain mentioned in origin
But if I want to have origin as an array of domains and I want to allow CORS for all the domains in the origin array, I would have something like this -
cors: { origin: ["www.one.com","www.two.com","www.three.com"]; }
But then the problem is this below code would not work -
app.all('*', function(req, res, next) { res.header("Access-Control-Allow-Origin", cors.origin); res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept"); next(); });
How do I make res.header take an array of domains via cors.origin ?
I would recommend the cors-module: https://www.npmjs.org/package/cors It does this kind of stuff for you - check the "Configuring CORS w/ Dynamic Origin"-Section
Lets understand how this header works. "Access-Control-Allow-Origin" accepts only a string. So to make it dynamic you need to get the requesting host from the http header. Check it against your array of authorised domains. If it's present then add that as a value to the header, else adding a default value will prohibit unauthorised domains from accessing the API.
There is no native implementation for this. You can do it yourself using the code below.
cors: { origin: ["www.one.com","www.two.com","www.three.com"], default: "www.one.com" } app.all('*', function(req, res, next) { var origin = cors.origin.indexOf(req.header('host').toLowerCase()) > -1 ? req.headers.origin : cors.default; res.header("Access-Control-Allow-Origin", origin); res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept"); next(); });
So base on your code just
cors: { origin: ["www.one.com","www.two.com","www.three.com"] } app.all('*', function(req, res, next) { let origin = req.headers.origin; if(cors.origin.indexOf(origin) >= 0){ res.header("Access-Control-Allow-Origin", origin); } res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept"); next(); });
