Are You Forgetting This Crucial Step in Your Express App?

javascript

Are You Forgetting This Crucial Step in Your Express App?

CORS Configuration Insights to Securely Balance Web Accessibility

Oct 1, 2023

Are You Forgetting This Crucial Step in Your Express App?

When it comes to web development, one crucial aspect that’s often overlooked is enabling Cross-Origin Resource Sharing (CORS). If you’re building an Express application and need to handle requests from different domains, you’re in luck. Here’s a casual, easy-to-follow guide that’ll help you set up CORS using the cors middleware in Express.

Alright, let’s dive right in and break this down into bite-sized pieces.

First things first, what’s CORS, you ask? Well, it’s basically a safety feature baked into web browsers. Imagine you’re on a website (let’s call it Site A) and it tries to fetch data from another website (Site B). Normally, your browser would block this because it feels sketchy, like someone trying to sneak into your house via the backdoor. This is called the same-origin policy. CORS, though, tells your browser, “Hey, it’s okay, I trust Site B. Let ‘em in!”

To kick things off, you need to install the cors package. It’s super simple, I promise. Just run:

npm install cors

Next, let’s jump into some basic setup. You’ll need to configure your Express app to use this cors middleware. It’s as easy as pie:

const express = require('express'); 
const cors = require('cors');

const app = express(); 
const port = process.env.SERVER_PORT || 3001;

// Easy-peasy way to enable CORS
app.use(cors());

app.get('/api/ping', (req, res) => {
    res.send({ msg: 'Hello, World' });
});

app.listen(port, () => {
    console.log(`Listening on port ${port}`);
});

What just happened? With app.use(cors());, you’ve allowed your app to accept requests from all domains. It’s like opening the gates to anyone who wants to visit. But, hold your horses! Security experts might cringe if you leave it that accessible, especially for sensitive data. Let’s tighten things up a bit.

You can restrict which domains are allowed. Maybe you only want your main site and your buddy’s site to have access:

const express = require('express');
const cors = require('cors');

const app = express();
const port = process.env.SERVER_PORT || 3001;

const allowedOrigins = ['http://localhost:3000', 'http://example.com'];

const corsOptions = {
    origin: allowedOrigins,
    methods: 'GET,HEAD,PUT,PATCH,POST,DELETE',
    preflightContinue: false,
    optionsSuccessStatus: 200,
};

app.use(cors(corsOptions));

app.get('/api/ping', (req, res) => {
    res.send({ msg: 'Hello, World' });
});

app.listen(port, () => {
    console.log(`Listening on port ${port}`);
});

With this setup, only http://localhost:3000 and http://example.com can knock on your door and get a warm welcome. All others? Well, they’ll get the cold shoulder.

Now let’s talk about preflight requests. Some requests are a bit… complex. Think of them as guests who like to call ahead before visiting to make sure you’re home. The browser does this to check if the cross-origin call is allowed. This is done using an OPTIONS request, and guess what? The cors middleware can handle this for you:

const express = require('express');
const cors = require('cors');

const app = express();
const port = process.env.SERVER_PORT || 3001;

// Handle preflight requests
app.options('*', cors());

const allowedOrigins = ['http://localhost:3000', 'http://example.com'];

const corsOptions = {
    origin: allowedOrigins,
};

app.get('/api/ping', cors(corsOptions), (req, res) => {
    res.send({ msg: 'Hello, World' });
});

app.listen(port, () => {
    console.log(`Listening on port ${port}`);
});

Feel like getting fancy? Sometimes your list of allowed origins could come from a database or another source. No worries; you can configure this dynamically:

const express = require('express');
const cors = require('cors');

const app = express();
const port = process.env.SERVER_PORT || 3001;

const corsOptionsDelegate = function (req, callback) {
    const allowedOrigins = ['http://localhost:3000', 'http://example.com'];
    let corsOptions;

    if (allowedOrigins.indexOf(req.header('Origin')) !== -1) {
        corsOptions = { origin: true };
    } else {
        corsOptions = { origin: false };
    }

    callback(null, corsOptions);
};

app.get('/api/ping', cors(corsOptionsDelegate), (req, res) => {
    res.send({ msg: 'Hello, World' });
});

app.listen(port, () => {
    console.log(`Listening on port ${port}`);
});

For those dealing with credentials like cookies or authorization headers, there’s an extra step. You can’t just wildcard ’*’ this time. You have to specify which origins can include credentials:

const express = require('express');
const cors = require('cors');

const app = express();
const port = process.env.SERVER_PORT || 3001;

const allowedOrigins = ['http://localhost:3000', 'http://example.com'];

const corsOptions = {
    origin: allowedOrigins,
    credentials: true,
};

app.use(cors(corsOptions));

app.get('/api/ping', (req, res) => {
    res.send({ msg: 'Hello, World' });
});

app.listen(port, () => {
    console.log(`Listening on port ${port}`);
});

There you go. By adding credentials: true, your app can handle cookies and other credentials securely.

To wrap things up, enabling CORS in your Express app is not just a necessity but pretty straightforward with the cors middleware. Just remember to configure it thoughtfully to balance accessibility and security. Whether you’re creating open APIs or locked-down services, careful CORS management ensures your frontend and backend can communicate seamlessly while keeping the unwanted guests out. Stay safe and happy coding!