CORS configuration that’s explicit (no *)

6872 views

                  import cors from 'cors';

const allow = new Set([
  'https://codesnips.dev',
  'https://staging.codesnips.dev'
]);

export const corsMiddleware = cors({
  origin(origin, cb) {
    if (!origin) return cb(null, true); // same-origin / server-side
    return cb(null, allow.has(origin));
  },
  credentials: true,
  maxAge: 600
});

CORS configs have a habit of getting more permissive over time until you’re basically allowing any origin. I keep an explicit allowlist and handle credentials carefully. If you allow cookies, you can’t use * as the origin. I also keep preflight responses fast and cacheable by setting a maxAge. Logging unexpected origins in non-production helps you update the allowlist intentionally instead of widening it blindly. CORS isn’t an auth mechanism, but misconfiguring it makes auth bugs easier to exploit. Being explicit here keeps the security posture understandable and reduces surprises when you add a new frontend domain or preview environment.

Mateo Rodriguez

More from Mateo Rodriguez

CORS configuration that’s explicit (no *)

0 Comments

More from Mateo Rodriguez