cors
Validates CORS requests against allowed origins, methods, and headers.
No-op when the Origin header is absent (same-origin requests). Preflight
OPTIONS requests are handled at the router level by ergo-router.
Pipeline stage: Negotiation
Import
Section titled “Import”import { cors } from "@centralping/ergo";Options
Section titled “Options”| Option | Type | Default | Description |
|---|---|---|---|
origins | string | string[] | RegExp | function | '*' | Allowed origins |
allowMethods | string[] | All standard methods | Allowed HTTP methods (default: DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT, TRACE) |
allowHeaders | string | string[] | RegExp | function | '*' | Allowed request headers |
exposeHeaders | string | string[] | — | Headers exposed to the client |
allowCredentials | boolean | false | Allow credentials (cookies, auth headers) |
maxAge | number | — | Preflight cache duration in seconds |
Return Value
Section titled “Return Value”The middleware returns one of three results:
- No
Originheader:undefined(no-op, same-origin request) - CORS allowed:
{ response: { headers: [...] } }withAccess-Control-Allow-Originand related headers - CORS denied:
{ response: { statusCode: 403 } }
Error Responses
Section titled “Error Responses”| Status | Condition |
|---|---|
| 403 Forbidden | Origin header present but not allowed by policy |
import { compose, cors } from "@centralping/ergo";
const pipeline = compose( [cors({ origins: ["https://app.example.com"], allowMethods: ["GET", "POST"], allowHeaders: ["Authorization", "Content-Type"], }), "cors"],);const router = createRouter({ cors: { origins: ["https://app.example.com"], allowMethods: ["GET", "POST", "PUT", "DELETE"], allowCredentials: true, },});RFC References
Section titled “RFC References”Related Recipes
Section titled “Related Recipes”- Mixed-Auth CORS & CSRF — Configuring CORS and CSRF together for browser and token-based clients
API Reference
Section titled “API Reference”See the auto-generated cors API docs.