Features
Docs
CLI
Benchmarks
Examples

© 2024 MoroJs

CORS Configuration

Secure cross-origin requests made simple. Enable CORS with one line, configure origins, and protect your API automatically.

On this page

CORS That Just Works

Enable CORS with one line. Configure origins automatically.
Secure by default, flexible when needed.

It's This Simple

Enable CORS with one line

typescript

1import { createApp } from '@morojs/moro';
2
3const app = createApp({
4  cors: true // That's it!
5});
6
7// All routes now support CORS automatically
8app.get('/users', () => {
9  return { success: true, data: [] };
10});

Why CORS Matters

Without CORS, browsers block cross-origin requests. With CORS, you control which origins can access your API securely.

Traditional CORS setup requires manual header management and preflight handling. We handle that automatically.

Without CORS

  • Browsers block cross-origin requests
  • Manual header management
  • Complex preflight handling
  • Security configuration errors

With MoroJS

  • One-line CORS enablement
  • Automatic preflight handling
  • Secure defaults
  • Flexible configuration

It's This Easy

Configure allowed origins, methods, and headers. That's it.

Configure allowed origins

typescript

1const app = createApp({
2  cors: {
3    origin: ['https://app.example.com', 'https://admin.example.com'],
4    credentials: true,
5    methods: ['GET', 'POST', 'PUT', 'DELETE']
6  }
7});

Why It Makes Sense

Secure

Control which origins can access your API. Secure by default.

Automatic

Preflight requests handled automatically. No manual header management.

Flexible

Configure per-route or globally. Environment-specific settings.

How It Works

MoroJS automatically handles CORS preflight requests, validates origins against your allowed list, and sets appropriate headers. When CORS is enabled, all routes automatically support cross-origin requests according to your configuration.

Configuration

Simple CORS Configuration

typescript

1import { createApp } from '@morojs/moro';
2
3// Enable CORS with default settings
4const app = createApp({
5  cors: true // Allows all origins in development
6});
7
8// Routes automatically inherit CORS settings
9app.get('/users', () => {
10  return { success: true, data: [] };
11});

Configure Allowed Origins

typescript

1const app = createApp({
2  cors: {
3    origin: [
4      'https://app.example.com',
5      'https://admin.example.com',
6      'https://mobile.example.com'
7    ],
8    credentials: true,
9    methods: ['GET', 'POST', 'PUT', 'DELETE'],
10    allowedHeaders: ['Content-Type', 'Authorization']
11  }
12});

Environment-Specific Configuration

typescript

1const getCorsConfig = () => {
2  const env = process.env.NODE_ENV;
3  
4  if (env === 'development') {
5    return { origin: true }; // Allow all origins
6  }
7  
8  if (env === 'production') {
9    return {
10      origin: ['https://app.example.com'],
11      credentials: true,
12      maxAge: 86400 // 24 hours
13    };
14  }
15  
16  return false; // Disable CORS
17};
18
19const app = createApp({
20  cors: getCorsConfig()
21});

Advanced Configuration

For advanced use cases, you can configure dynamic origin validation, per-route CORS settings, and database-driven origin management.

Dynamic Origin Validation

typescript

1const app = createApp({
2  cors: {
3    origin: (origin, callback) => {
4      // Allow requests with no origin (mobile apps, etc.)
5      if (!origin) return callback(null, true);
6      
7      // Check against allowed domains
8      const allowedDomains = ['example.com', 'staging.example.com'];
9      const hostname = new URL(origin).hostname;
10      const isAllowed = allowedDomains.some(domain => 
11        hostname === domain || hostname.endsWith('.' + domain)
12      );
13      
14      callback(null, isAllowed);
15    },
16    credentials: true
17  }
18});

Route-Specific CORS

typescript

1// Public API - Allow all origins
2app.get('/api/public/data', {
3  middleware: [
4    cors({
5      origin: '*',
6      methods: ['GET'],
7      credentials: false
8    })
9  ],
10  handler: () => ({ message: 'Public data' })
11});
12
13// Admin API - Restricted origins
14app.post('/api/admin/users', {
15  middleware: [
16    cors({
17      origin: ['https://admin.example.com'],
18      credentials: true
19    })
20  ],
21  handler: createUser
22});

Next Steps

Security Features

Comprehensive security configuration

Middleware System

Custom middleware development

CSRF Protection

Protect against CSRF attacks