`@fastify/cors`

Adds Cross-Origin Resource Sharing headers to responses.

Since Fastify 5 Spec ↗

Syntax

app.register(cors, options?)

Parameters

Name	Type	Required	Description
`options`	`object`	No	Settings like origin, methods, credentials, and maxAge.

Returns

Promise<void> — Resolves when the plugin is registered.

Examples

import Fastify from 'fastify';
import cors from '@fastify/cors';

const app = Fastify();

await app.register(cors, {
  origin: ['https://app.example.com'],
  credentials: true,
  methods: ['GET', 'POST', 'PUT', 'DELETE'],
});

Notes

Set `origin` to an explicit list (or a function) in production rather than true. Use `credentials: true` only with a specific origin, never with a wildcard.