CORS Configuration for API

CORS Configuration for API


//: # ()

+------------+                      +-----------------+
|   Client   |                      |     Server      |
+------------+                      +-----------------+
      |                                     |
      | Request                             |
      |                                     |
      |        Preflight (OPTIONS)          |
      |      Access-Control-Allow-Origin    |
      |   Access-Control-Allow-Methods      |
      |   Access-Control-Allow-Headers      |
      |  Access-Control-Allow-Credentials   |
      |    Access-Control-Max-Age           |
      |                                     |
      |       Actual Request (GET/POST)     |
      |                                     |
      |         Response with Data          |
      |                                     |

What is CORS?

Cross-Origin Resource Sharing CORS is a security mechanism that allows web servers to define which domains are allowed to access their APIs, preventing unauthorized cross-origin requests and ensuring safer interactions between different origins. It is a fundamental security mechanism to protect users from unauthorized access to their data.

CORS configuration varies based on the server-side technology you are using. Most web frameworks provide mechanisms to set CORS headers in the response, as demonstrated in the example I provided earlier.

CORS Configuration in API

To configure Cross-Origin Resource Sharing (CORS) for your API, you need to set appropriate headers in the server's response to allow requests from different origins. The headers you typically need to include are:

  1. Access-Control-Allow-Origin: This header specifies which origin(s) are allowed to make requests to your API. You can set it to a specific origin or use a wildcard (*) to allow requests from any origin.

  2. Access-Control-Allow-Methods: This header lists the HTTP methods (e.g., GET, POST, PUT, DELETE) that are allowed for the API.

  3. Access-Control-Allow-Headers: Use this header to specify which HTTP headers can be used in the actual request.

  4. Access-Control-Expose-Headers: If your API uses custom headers, you can include them in this header to make them accessible to the client-side JavaScript.

  5. Access-Control-Allow-Credentials: If your API requires authentication and you want to allow credentials (e.g., cookies, HTTP authentication) to be included in the request, set this header to "true." Be aware that setting this header requires the client-side request to include the "withCredentials" option.

  6. Access-Control-Max-Age: This header specifies how long the results of a preflight request can be cached in seconds. A preflight request is an initial request sent by the browser before the actual request, used to check if the server allows the actual request.

Here's an example of how you can set these headers in your API's server-side code (using Node.js and Express as an example):

const express = require('express');
const app = express();

// Set up CORS headers
app.use((req, res, next) => {
  res.header('Access-Control-Allow-Origin', '*');
  res.header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE');
  res.header('Access-Control-Allow-Headers', 'Content-Type, Authorization');
  res.header('Access-Control-Expose-Headers', 'Custom-Header'); // Optional if you have custom headers
  res.header('Access-Control-Allow-Credentials', 'true'); // Optional if you need to allow credentials
  res.header('Access-Control-Max-Age', '86400'); // Optional, in seconds (e.g., 1 day) for preflight caching

// Your API routes and logic here

// Start the server
const port = 3000;
app.listen(port, () => {
  console.log(`Server is running on port ${port}`);

Please adjust the above code to fit your specific server-side framework and requirements. CORS configuration may vary based on your backend technology and the specific needs of your API.

Example in Java

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;

public class CorsFilter implements Filter {

    public void init(FilterConfig filterConfig) throws ServletException {
        // Initialization code, if needed

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        // Set CORS headers to allow cross-origin requests
        response.setHeader("Access-Control-Allow-Origin", "*"); // Replace "*" with a specific origin if needed
        response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
        response.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
        response.setHeader("Access-Control-Expose-Headers", "Custom-Header"); // Optional if you have custom headers
        response.setHeader("Access-Control-Allow-Credentials", "true"); // Optional if you need to allow credentials
        response.setHeader("Access-Control-Max-Age", "86400"); // Optional, in seconds (e.g., 1 day) for preflight caching

        // Continue the request chain
        chain.doFilter(request, response);

    public void destroy() {
        // Cleanup code, if needed

Icon For Arrow-up

Post a comment