Fetching contributors…
Cannot retrieve contributors at this time
73 lines (51 sloc) 4.08 KB

Cross-Origin Resource Sharing (CORS)

CORS is a mechanism that allows browser scripts on pages served from other domains (e.g. to talk to your server (e.g. Like JSONP, the goal of CORS is to circumvent the same-origin policy; allowing your Sails server to successfully respond to requests from client-side JavaScript code running on a page hosted from some other domain. But unlike JSONP, it works with more than just GET requests. And it allows you to whitelist particular origins ( or and prevent requests from others (

Sails can be configured to allow cross-origin requests from a list of domains you specify, or from every domain. This can be done on a per-route basis, or globally for every route in your app.

Enabling CORS

For security reasons, CORS is disabled by default in Sails. But enabling it is dead-simple.

To allow cross-origin requests from a whitelist of trusted domains to any route in your app, simply enable allRoutes and provide an origin setting in config/security.js:

cors: {
  allRoutes: true,
  allowOrigins: ['','','','']

To allow cross-origin requests from any domain to any route in your app, use allowOrigins: '*':

cors: {
  allRoutes: true,
  allowOrigins: '*',
  allowCredentials: false

Note that when using allowOrigins: '*', the credentials setting must be false, meaning that requests containing cookies will be blocked. This restriction exists to prevent third-party sites from being able to trick your logged-in users into making unauthorized requests to your app. You can lift this restriction (at your own risk!) using the allowAnyOriginWithCredentialsUnsafe setting.

See for a comprehensive reference of all available options.

Configuring CORS For individual routes

Besides the global CORS configuration in config/security.js, you can also configure these settings on a per-route basis in config/routes.js.

If you set allRoutes: true in config/security.js, but you want to exempt a specific route, set the cors: false in the route's target:

'POST /signup': {
   action: 'user/signup',
   cors: false

To enable or override global CORS configuration for a particular route, provide cors as a dictionary:

'GET /videos': {
   action: 'video/find',
   cors: {
     allowOrigins: ['','','',''],
     allowCredentials: false


  • CORS support is only relevant for HTTP requests. Requests made via sockets are not subject to cross-origin restrictions. To ensure that your app is secure via sockets, configure the onlyAllowOrigins setting (typically in config/env/production.js.
  • CORS is not supported in Internet Explorer 7. Fortunately, it is supported in IE8 and up, as well as in all other modern browsers.
  • Read more about CORS from MDN
  • Read the CORS spec