Performance optimization opportunities for CORS middleware #369
Description
Overview
The CORS middleware is one of the most critical performance bottlenecks in modern Express applications because it runs on EVERY request for APIs with CORS enabled (which includes most modern web APIs). Even small optimizations compound significantly at scale.
I've been analyzing the current implementation and have identified several optimization opportunities that could meaningfully improve performance without breaking backward compatibility. I'd be happy to help implement these improvements via PRs and provide benchmarks.
Optimization Opportunities
1. Cache Array-to-String Conversions for Methods and Headers
Problem: Currently, configureMethods(), configureAllowedHeaders(), and configureExposedHeaders() perform .join(',') operations on every request when arrays are provided.
Current implementation:
function configureMethods(options) {
var methods = options.methods;
if (methods.join) {
methods = options.methods.join(','); // Runs on every request
}
return {
key: 'Access-Control-Allow-Methods',
value: methods
};
}Proposed solution: Normalize arrays to strings during middleware initialization in middlewareWrapper():
function middlewareWrapper(o) {
var optionsCallback = null;
if (typeof o === 'function') {
optionsCallback = o;
} else {
// Pre-process static configuration
var staticOptions = assign({}, defaults, o);
// Cache array-to-string conversions
if (staticOptions.methods && staticOptions.methods.join) {
staticOptions.methods = staticOptions.methods.join(',');
}
if (staticOptions.exposedHeaders && staticOptions.exposedHeaders.join) {
staticOptions.exposedHeaders = staticOptions.exposedHeaders.join(',');
}
if (staticOptions.allowedHeaders && staticOptions.allowedHeaders.join) {
staticOptions.allowedHeaders = staticOptions.allowedHeaders.join(',');
}
optionsCallback = function (req, cb) {
cb(null, staticOptions);
};
}
return function corsMiddleware(req, res, next) {
// ... rest of implementation
};
}Performance impact: Eliminates 1-3 array operations per request (depending on configuration). For APIs handling 10,000 req/s, this saves ~30,000 array joins per second.
2. Memoize Static Header Objects
Problem: Functions like configureMethods(), configureCredentials(), and configureMaxAge() create new header objects on every request, even when the configuration is static.
Current implementation:
function configureCredentials(options) {
if (options.credentials === true) {
return {
key: 'Access-Control-Allow-Credentials',
value: 'true'
};
}
return null;
}Proposed solution: Pre-compute header objects during initialization:
function middlewareWrapper(o) {
var cachedHeaders = {};
if (typeof o === 'function') {
// Dynamic config - can't cache
optionsCallback = o;
} else {
var staticOptions = assign({}, defaults, o);
// Pre-compute static header objects
if (staticOptions.credentials === true) {
cachedHeaders.credentials = {
key: 'Access-Control-Allow-Credentials',
value: 'true'
};
}
if (staticOptions.methods) {
var methods = staticOptions.methods.join ? staticOptions.methods.join(',') : staticOptions.methods;
cachedHeaders.methods = {
key: 'Access-Control-Allow-Methods',
value: methods
};
}
// Similar caching for maxAge, exposedHeaders
optionsCallback = function (req, cb) {
cb(null, staticOptions);
};
}
return function corsMiddleware(req, res, next) {
// Use cached header objects instead of recreating them
};
}Performance impact: Eliminates 2-5 object allocations per request for static configurations. Reduces GC pressure significantly.
3. Optimize Origin Matching with Set/Map for Array Origins
Problem: When options.origin is an array of allowed origins, isOriginAllowed() performs a linear search on every request.
Current implementation:
function isOriginAllowed(origin, allowedOrigin) {
if (Array.isArray(allowedOrigin)) {
for (var i = 0; i < allowedOrigin.length; ++i) {
if (isOriginAllowed(origin, allowedOrigin[i])) {
return true;
}
}
return false;
}
// ...
}Proposed solution: Use a Set for O(1) string lookups, with fallback to array iteration for regex/functions:
function middlewareWrapper(o) {
var originSet = null;
var originRegexes = null;
if (typeof o !== 'function' && Array.isArray(o.origin)) {
originSet = new Set();
originRegexes = [];
for (var i = 0; i < o.origin.length; i++) {
if (typeof o.origin[i] === 'string') {
originSet.add(o.origin[i]);
} else if (o.origin[i] instanceof RegExp) {
originRegexes.push(o.origin[i]);
}
}
}
// Pass originSet and originRegexes to isOriginAllowed for fast lookups
}
function isOriginAllowed(origin, allowedOrigin, originSet, originRegexes) {
if (originSet && originSet.has(origin)) {
return true; // O(1) lookup
}
if (originRegexes) {
for (var i = 0; i < originRegexes.length; i++) {
if (originRegexes[i].test(origin)) {
return true;
}
}
}
// Fallback to original logic for dynamic configs
}Performance impact: Changes origin matching from O(n) to O(1) for string origins. For apps with 10+ allowed origins, this is a 10x speedup on the critical path.
4. Reduce Object Allocations in configureOrigin()
Problem: configureOrigin() creates nested array structures [[{key, value}]] that add allocation overhead.
Current implementation:
function configureOrigin(options, req) {
var headers = [];
if (!options.origin || options.origin === '*') {
headers.push([{
key: 'Access-Control-Allow-Origin',
value: '*'
}]);
}
// ...
}Proposed solution: Return flat objects directly and handle them in applyHeaders():
function configureOrigin(options, req) {
if (!options.origin || options.origin === '*') {
return {
origin: { key: 'Access-Control-Allow-Origin', value: '*' },
vary: null
};
}
// ...
}
function cors(options, req, res, next) {
var originHeaders = configureOrigin(options, req);
// Apply headers directly instead of through nested arrays
if (originHeaders.origin && originHeaders.origin.value) {
res.setHeader(originHeaders.origin.key, originHeaders.origin.value);
}
if (originHeaders.vary) {
vary(res, originHeaders.vary.value);
}
// ...
}Performance impact: Reduces object allocations and simplifies the header application logic. Cleaner code path with fewer intermediate arrays.
5. Fast-Path for Common Configurations
Problem: The most common use case (cors() with default options or cors({origin: '*'})) still goes through the full configuration pipeline.
Proposed solution: Add a fast-path for wildcard origins:
function cors(options, req, res, next) {
var method = req.method && req.method.toUpperCase && req.method.toUpperCase();
// Fast path for wildcard origin (most common case)
if (options.origin === '*' && !options.credentials && method !== 'OPTIONS') {
res.setHeader('Access-Control-Allow-Origin', '*');
if (options.exposedHeaders) {
res.setHeader('Access-Control-Expose-Headers', options.exposedHeaders);
}
return next();
}
// Full configuration pipeline for complex cases
var headers = [];
// ... existing implementation
}Performance impact: For the most common configuration (wildcard origins), this reduces execution to 1-2 header sets instead of the full pipeline. Could improve performance by 50%+ for this case.
Why This Matters
Scale impact:
- An API serving 10,000 requests/second runs CORS middleware 10,000 times/second
- Each microsecond saved = 10ms/second = 0.01 CPU core freed up
- These optimizations combined could save 10-50 microseconds per request
- At scale: 0.1-0.5 CPU cores saved per 10k req/s
Backward compatibility:
- All proposed changes maintain the existing API
- Only internal implementation improvements
- No breaking changes for users
Next Steps
I'd be happy to:
- Create a PR implementing these optimizations with comprehensive tests
- Provide detailed benchmarks showing performance improvements
- Add benchmarking infrastructure to prevent future regressions
- Work on one optimization at a time to keep PRs focused and reviewable
Would the maintainers be open to these improvements? I'm committed to ensuring quality, backward compatibility, and thorough testing for any changes.
Additional context:
- I've created an experimental fork exploring some of these optimizations
- Happy to collaborate on implementation details
- Can provide benchmark data comparing current vs. optimized implementations
Thank you for maintaining this critical middleware package!