CORS middleware with full W3C spec support
Branch: master
Clone or download
Latest commit 66fd65b Jun 7, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
test Merge pull request #50 from gswalden/patch-1 Nov 17, 2017
.gitignore First commit, supports 12/15 items of the spec May 8, 2014
.npmignore Don't publish test code to npm (.npmignore) Jul 11, 2016
.travis.yml Publish to NPM from Travis CI Nov 13, 2017 Merge pull request #48 from ClementParis016/patch-1 Oct 31, 2017
package-lock.json Publish npm package May 11, 2018
package.json Publish npm package May 11, 2018


CORS middleware with full W3C spec support.

NPM License

Build Status Dependencies Dev dependencies Peer dependencies Known Vulnerabilities

JavaScript Style Guide


$ npm install restify-cors-middleware --save


const corsMiddleware = require('restify-cors-middleware')

const cors = corsMiddleware({
  preflightMaxAge: 5, //Optional
  origins: ['', ''],
  allowHeaders: ['API-Token'],
  exposeHeaders: ['API-Token-Expiry']


Allowed origins

You can specify the full list of domains and subdomains allowed in your application, using strings or regular expressions.

origins: [

For added security, this middleware sets Access-Control-Allow-Origin to the origin that matched, not the configured wildcard. This means callers won't know about other domains that are supported.

Setting origins: ['*'] is also valid, although it comes with obvious security implications. Note that it will still return a customised response (matching Origin), so any caching layer (reverse proxy or CDN) will grow in size accordingly.


As per the spec, requests without an Origin will not receive any headers. Requests with a matching Origin will receive the appropriate response headers. Always be careful that any reverse proxies (e.g. Varnish) very their cache depending on the origin, so you don't serve CORS headers to the wrong request.

Compliance to the spec

See unit tests for examples of preflight and actual requests.