Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CORS Headers #2733

diegossilveira opened this issue Aug 24, 2015 · 3 comments

CORS Headers #2733

diegossilveira opened this issue Aug 24, 2015 · 3 comments
feature New functionality or improvement


Copy link

When trying CORS support on Hapi, I came accross an implementation question. I supposed additionalExposedHeaders with override set to false works exposing extra headers, merging headers manually set. But it not works that way. The following code illustrates that:

var Hapi = require('hapi');

var server = new Hapi.Server();
server.connection({ port: 3001 });

  method: 'GET',
  path: '/',
  handler: function (request, reply) {
    var response = reply('Hello, world!')
    response.header('access-control-expose-headers', 'x-custom-header');
    response.header('x-request-id', '12345');
    response.header('x-custom-header', '12345');
  config: {
    cors: {
      override: false,
      additionalExposedHeaders: ['x-request-id']

server.start(function () {
  console.log('Server running at:',;

Shouldn't it return an access-control-expose-headers with both values x-custom-header and x-request-id? Sometimes the handler function sets an access-control-expose-headers dynamically and is desirable that additionalExposedHeaders values are still set.

I think the following algorithm is suitable when the override flag is set to false:

Is access-control-expose-headers is already set?

  • YES merge values from additionalExposedHeaders
  • NO set header with additionalExposedHeaders value
Copy link

nlf commented Aug 24, 2015

in my mind override: false means absolutely do not change the header, what you're describing could potentially be a new merge option or something though?

Copy link

@nlf You are right. I think a new merge option would solve that. I just think it could get a little bit confusing when override is used with merge.

override: true and merge: true | false -> Merge gets ignored, since override is set?

@hueniverse hueniverse self-assigned this Oct 2, 2015
@hueniverse hueniverse added this to the 10.2.0 milestone Oct 2, 2015
@Marsup Marsup added feature New functionality or improvement and removed request labels Sep 20, 2019
Copy link

lock bot commented Jan 9, 2020

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.

@lock lock bot locked as resolved and limited conversation to collaborators Jan 9, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
feature New functionality or improvement
None yet

No branches or pull requests

4 participants