Go net/http configurable handler to handle CORS requests
Latest commit a62a804 Jun 17, 2016 @xgt001 xgt001 committed with Return 200 if Passthrough is disabled (#26)
Return OK if passthrough is false


Go CORS handler godoc license build Coverage

CORS is a net/http handler implementing Cross Origin Resource Sharing W3 specification in Golang.

Getting Started

After installing Go and setting up your GOPATH, create your first .go file. We'll call it server.go.

package main

import (


func main() {
    mux := http.NewServeMux()
    mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
        w.Header().Set("Content-Type", "application/json")
        w.Write([]byte("{\"hello\": \"world\"}"))

    // cors.Default() setup the middleware with default options being
    // all origins accepted with simple methods (GET, POST). See
    // documentation below for more options.
    handler := cors.Default().Handler(mux)
    http.ListenAndServe(":8080", handler)

Install cors:

go get github.com/rs/cors

Then run your server:

go run server.go

The server now runs on localhost:8080:

$ curl -D - -H 'Origin: http://foo.com' http://localhost:8080/
HTTP/1.1 200 OK
Access-Control-Allow-Origin: foo.com
Content-Type: application/json
Date: Sat, 25 Oct 2014 03:43:57 GMT
Content-Length: 18

{"hello": "world"}

More Examples


Parameters are passed to the middleware thru the cors.New method as follow:

c := cors.New(cors.Options{
    AllowedOrigins: []string{"http://foo.com"},
    AllowCredentials: true,

// Insert the middleware
handler = c.Handler(handler)
  • AllowedOrigins []string: A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Usage of wildcards implies a small performance penality. Only one wildcard can be used per origin. The default value is *.
  • AllowOriginFunc func (origin string) bool: A custom function to validate the origin. It take the origin as argument and returns true if allowed or false otherwise. If this option is set, the content of AllowedOrigins is ignored
  • AllowedMethods []string: A list of methods the client is allowed to use with cross-domain requests. Default value is simple methods (GET and POST).
  • AllowedHeaders []string: A list of non simple headers the client is allowed to use with cross-domain requests.
  • ExposedHeaders []string: Indicates which headers are safe to expose to the API of a CORS API specification
  • AllowCredentials bool: Indicates whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates. The default is false.
  • MaxAge int: Indicates how long (in seconds) the results of a preflight request can be cached. The default is 0 which stands for no max age.
  • OptionsPassthrough bool: Instructs preflight to let other potential next handlers to process the OPTIONS method. Turn this on if your application handles OPTIONS.
  • Debug bool: Debugging flag adds additional output to debug server side CORS issues.

See API documentation for more info.


BenchmarkWithout          20000000    64.6 ns/op      8 B/op    1 allocs/op
BenchmarkDefault          3000000      469 ns/op    114 B/op    2 allocs/op
BenchmarkAllowedOrigin    3000000      608 ns/op    114 B/op    2 allocs/op
BenchmarkPreflight        20000000    73.2 ns/op      0 B/op    0 allocs/op
BenchmarkPreflightHeader  20000000    73.6 ns/op      0 B/op    0 allocs/op
BenchmarkParseHeaderList  2000000      847 ns/op    184 B/op    6 allocs/op
BenchmarkParse…Single     5000000      290 ns/op     32 B/op    3 allocs/op
BenchmarkParse…Normalized 2000000      776 ns/op    160 B/op    6 allocs/op


All source code is licensed under the MIT License.