Community Learn Tools Library Leisure
search
English
Home > Web Front-end > JS Tutorial > Nodejs Custom CORS

Nodejs Custom CORS

DDD
Release: 2024-11-14 10:29:02
Original
736 people have browsed it

Nodejs Custom CORS

CORS (Cross-Origin Resource Sharing) is a mechanism that allows a web application on one domain to access resources on another domain. This is crucial when developing an application where the frontend and backend are separate and communicate through an API.

Here’s an article explaining CORS implementation in Node.js and Express without using external libraries:

"use strict";

/*jshint node:true */

var simpleMethods, simpleRequestHeaders, simpleResponseHeaders, toLowerCase, checkOriginMatch, origin;

Object.defineProperty(exports, "simpleMethods", {
    get: function () {
        return [
            "GET",
            "HEAD",
            "POST",
            "PUT",
            "DELETE"
        ];
    }
});
simpleMethods = exports.simpleMethods;

Object.defineProperty(exports, "origin", {
    get: function () {
        return ["http://localhost:3000"];
    }
});
origin = exports.origin;
Copy after login
Copy after login

Export simpleMethods: Defines the allowed HTTP methods for CORS requests (e.g., GET, POST, PUT, etc.).

Export origin: Specifies the list of permitted origins for access. In this example, http://localhost:3000 is allowed.

Object.defineProperty(exports, "simpleRequestHeaders", {
    get: function () {
        return ["accept", "accept-language", "content-language", "content-type", "authorization", "token"];
    }
});
simpleRequestHeaders = exports.simpleRequestHeaders;

Object.defineProperty(exports, "simpleResponseHeaders", {
    get: function () {
        return ["cache-control", "content-language", "content-type", "expires", "last-modified", "pragma"];
    }
});
simpleResponseHeaders = exports.simpleResponseHeaders;
Copy after login
Copy after login

Export simpleRequestHeaders: Defines allowed request headers from clients in cross-domain requests.

Export simpleResponseHeaders: Defines response headers permitted from server to client.

checkOriginMatch = function (originHeader, origins, callback) {
    if (typeof origins === "function") {
        origins(originHeader, function (err, allow) {
            callback(err, allow);
        });
    } else if (origins.length > 0) {
        callback(null, origins.some(function (origin) {
            return origin === originHeader;
        }));
    } else {
        callback(null, true);
    }
};
Copy after login

Function checkOriginMatch: Checks if the request origin matches an allowed origin list. If matched, the request is permitted.

exports.create = function (options) {
    options = options || {};
    options.origins = options.origins || origin;
    options.methods = options.methods || simpleMethods;
Copy after login

Initialization of origins and methods options, with default values from origin and simpleMethods if none are provided.

Setting Request and Response Headers

 if (options.hasOwnProperty("requestHeaders") === true) {
        options.requestHeaders = toLowerCase(options.requestHeaders);
    } else {
        options.requestHeaders = simpleRequestHeaders;
    }

    if (options.hasOwnProperty("responseHeaders") === true) {
        options.responseHeaders = toLowerCase(options.responseHeaders);
    } else {
        options.responseHeaders = simpleResponseHeaders;
    }
Copy after login

Sets allowed request (requestHeaders) and response (responseHeaders) headers. Converts any given request or response headers to lowercase.

Additional Middleware Configuration

 options.maxAge = options.maxAge || null;
    options.supportsCredentials = options.supportsCredentials || false;

    if (options.hasOwnProperty("endPreflightRequests") === false) {
        options.endPreflightRequests = true;
    }
Copy after login

maxAge: Specifies the maximum cache age for CORS preflight. supportsCredentials: Determines if the server supports credentials (cookies or tokens) in cross-domain requests. endPreflightRequests: Decides if the server should terminate preflight requests (OPTIONS) or proceed to the next middleware.

 return function (req, res, next) {
        if (!req.headers.hasOwnProperty("origin")) {
            next();
        } else {
            checkOriginMatch(req.headers.origin, options.origins, function (err, originMatches) {
                if (err !== null) {
                    next(err);
                } else {
                    var endPreflight = function () {
                        if (options.endPreflightRequests === true) {
                            res.writeHead(204);
                            res.end();
                        } else {
                            next();
                        }
                    };
Copy after login

Function endPreflight: Ends preflight (OPTIONS) requests if endPreflightRequests is set to true. Origin Check: Uses checkOriginMatch to verify if the request origin matches an allowed origin.

Handling Preflight Requests (OPTIONS)

 if (req.method === "OPTIONS") {
                        if (!req.headers.hasOwnProperty("access-control-request-method")) {
                            endPreflight();
                        } else {
                            requestMethod = req.headers["access-control-request-method"];
                            if (req.headers.hasOwnProperty("access-control-request-headers")) {
                                requestHeaders = toLowerCase(req.headers["access-control-request-headers"].split(/,\s*/));
                            } else {
                                requestHeaders = [];
                            }

                            methodMatches = options.methods.indexOf(requestMethod) !== -1;
                            if (!methodMatches) {
                                endPreflight();
                            } else {
                                headersMatch = requestHeaders.every(function (requestHeader) {
                                    return options.requestHeaders.includes(requestHeader);
                                });

                                if (!headersMatch) {
                                    endPreflight();
                                } else {
                                    if (options.supportsCredentials) {
                                        res.setHeader("Access-Control-Allow-Origin", req.headers.origin);
                                        res.setHeader("Access-Control-Allow-Credentials", "true");
                                    } else {
                                        res.setHeader("Access-Control-Allow-Origin", "*");
                                    }

                                    if (options.maxAge !== null) {
                                        res.setHeader("Access-Control-Max-Age", options.maxAge);
                                    }

                                    res.setHeader("Access-Control-Allow-Methods", options.methods.join(","));
                                    res.setHeader("Access-Control-Allow-Headers", options.requestHeaders.join(","));
                                    endPreflight();
                                }
                            }
                        }
                    }
Copy after login

Request Method & Headers Matching: Checks if request method and headers match those allowed. CORS Response Headers: Sets CORS headers like Access-Control-Allow-Origin, Access-Control-Allow-Credentials, Access-Control-Allow-Methods, etc.

Exposing Headers in the Response
} else {
if (options.supportsCredentials) {
res.setHeader("Access-Control-Allow-Origin", req.headers.origin);
res.setHeader("Access-Control-Allow-Credentials", "true");
} else {
res.setHeader("Access-Control-Allow-Origin", "*");
}

"use strict";

/*jshint node:true */

var simpleMethods, simpleRequestHeaders, simpleResponseHeaders, toLowerCase, checkOriginMatch, origin;

Object.defineProperty(exports, "simpleMethods", {
    get: function () {
        return [
            "GET",
            "HEAD",
            "POST",
            "PUT",
            "DELETE"
        ];
    }
});
simpleMethods = exports.simpleMethods;

Object.defineProperty(exports, "origin", {
    get: function () {
        return ["http://localhost:3000"];
    }
});
origin = exports.origin;
Copy after login
Copy after login
Object.defineProperty(exports, "simpleRequestHeaders", {
    get: function () {
        return ["accept", "accept-language", "content-language", "content-type", "authorization", "token"];
    }
});
simpleRequestHeaders = exports.simpleRequestHeaders;

Object.defineProperty(exports, "simpleResponseHeaders", {
    get: function () {
        return ["cache-control", "content-language", "content-type", "expires", "last-modified", "pragma"];
    }
});
simpleResponseHeaders = exports.simpleResponseHeaders;
Copy after login
Copy after login

Access-Control-Expose-Headers: Sets response headers that are accessible to the client if there are custom headers not included in simpleResponseHeaders.

This is how you can implement custom CORS in Node.js without using any library. For the complete script, you can refer to this example.

The above is the detailed content of Nodejs Custom CORS. For more information, please follow other related articles on the PHP Chinese website!

source:dev.to
Previous article:When Should You Avoid `Child.prototype = Parent.Prototype` in JavaScript Inheritance? Next article:How to Share $scope Data Between States in AngularJS Without Services or Watchers?
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Latest Articles by Author
Latest Issues
function_exists() cannot determine the custom function Function test () {return true;} if (function_exists ('test')) {echo "test is function...
From 2024-04-29 11:01:01
0
3
2289
How to display the mobile version of Google Chrome Hello teacher, how can I change Google Chrome into a mobile version?
From 2024-04-23 00:22:19
0
11
2429
The child window operates the parent window, but the output does not respond. The first two sentences are executable, but the last sentence cannot be implemented.
From 2024-04-19 15:37:47
0
1
2041
There is no output in the parent window document.onclick = function(){ window.opener.document.write('I am the output of the child ...
From 2024-04-18 23:52:34
0
1
1926
Where is the courseware about CSS mind mapping? Courseware
From 2024-04-16 10:10:18
0
0
1998
Related Topics
More>
Popular Recommendations
Popular Tutorials
More>
Related Tutorials
Popular Recommendations
Latest courses
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template