CORS Middleware¶
Handles Cross-Origin Resource Sharing (CORS) for browser requests.
Usage¶
Default Configuration¶
Default allows: - All origins (*) - Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS - Headers: Origin, Content-Type, Accept, Authorization - Max age: 24 hours
Custom Configuration¶
app.Use(middleware.CORS(middleware.CORSConfig{
AllowOrigins: []string{"https://example.com", "https://app.example.com"},
AllowMethods: []string{"GET", "POST", "PUT", "DELETE"},
AllowHeaders: []string{"Origin", "Content-Type", "Authorization"},
ExposeHeaders: []string{"X-Request-ID", "X-Custom-Header"},
AllowCredentials: true,
MaxAge: 3600, // 1 hour
}))
Configuration Options¶
| Option | Type | Description |
|---|---|---|
AllowOrigins | []string | Allowed origins. Use * for all. |
AllowMethods | []string | Allowed HTTP methods |
AllowHeaders | []string | Allowed request headers |
ExposeHeaders | []string | Headers exposed to the client |
AllowCredentials | bool | Allow credentials (cookies, auth) |
MaxAge | int | Preflight cache duration in seconds |
Examples¶
Single Origin¶
app.Use(middleware.CORS(middleware.CORSConfig{
AllowOrigins: []string{"https://myapp.com"},
AllowMethods: []string{"GET", "POST"},
}))
Multiple Origins¶
app.Use(middleware.CORS(middleware.CORSConfig{
AllowOrigins: []string{
"https://app.example.com",
"https://admin.example.com",
"http://localhost:3000", // Development
},
AllowMethods: []string{"GET", "POST", "PUT", "DELETE"},
AllowHeaders: []string{"Origin", "Content-Type", "Authorization"},
}))
Wildcard Subdomains¶
app.Use(middleware.CORS(middleware.CORSConfig{
AllowOrigins: []string{"*.example.com"},
AllowMethods: []string{"GET", "POST", "PUT", "DELETE"},
}))
This allows: - https://api.example.com - https://app.example.com - https://sub.api.example.com
With Credentials¶
app.Use(middleware.CORS(middleware.CORSConfig{
AllowOrigins: []string{"https://app.example.com"},
AllowMethods: []string{"GET", "POST"},
AllowCredentials: true, // Required for cookies
}))
Expose Custom Headers¶
app.Use(middleware.CORS(middleware.CORSConfig{
AllowOrigins: []string{"*"},
ExposeHeaders: []string{"X-Request-ID", "X-RateLimit-Remaining"},
}))
Credentials and Wildcards
AllowCredentials: true cannot be used with AllowOrigins: []string{"*"}. This is a security restriction enforced by browsers.
Preflight Requests¶
The middleware automatically handles OPTIONS preflight requests:
OPTIONS /api/users HTTP/1.1
Origin: https://app.example.com
Access-Control-Request-Method: POST
Access-Control-Request-Headers: Content-Type
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Origin, Content-Type, Authorization
Access-Control-Max-Age: 86400
Vary: Origin
Response Headers¶
The middleware sets these headers:
| Header | Description |
|---|---|
Access-Control-Allow-Origin | Allowed origin |
Access-Control-Allow-Methods | Allowed methods |
Access-Control-Allow-Headers | Allowed headers |
Access-Control-Expose-Headers | Headers exposed to client |
Access-Control-Allow-Credentials | If credentials allowed |
Access-Control-Max-Age | Preflight cache duration |
Vary | Set to Origin for proper caching |
Security Considerations¶
- Don't use
*in production with credentials - Whitelist specific origins instead of allowing all
- Limit allowed methods to what's needed
- Limit allowed headers to what's needed