🔐CORS Policies and Security in Node.js Express

Introduction to CORS

Cross-Origin Resource Sharing (CORS) is a security mechanism implemented in web browsers to prevent unauthorized access to resources on a different domain than the one that served the web page. CORS policies are essential in protecting users' information from malicious websites while still allowing legitimate websites to access the resources they need.

In this article, we will dive deep into CORS policies and security in Node.js Express applications, exploring how to set up CORS policies, various security risks, and best practices to keep your applications secure.

Understanding CORS Policies

CORS policies act as a gatekeeper, allowing or denying access to resources based on specific rules. These policies are enforced by web browsers, which use the CORS headers returned by the server to determine if a request should be allowed or blocked.

Simple vs. Preflighted Requests

There are two types of CORS requests: simple and preflighted. Simple requests are those that meet specific criteria, such as using only GET, HEAD, or POST methods and having only specific allowed headers. Preflighted requests are more complex, often using other HTTP methods or custom headers, and require a "preflight" request to be made before the actual request.

The preflight request is an OPTIONS request sent to the server, which then responds with the allowed CORS headers. If the actual request is allowed based on the returned headers, the browser proceeds with the request.

Enabling CORS in Express

To enable CORS in an Express application, you can use the cors middleware, a popular npm package that simplifies the process of configuring CORS headers. First, install the package:

npm install cors

Next, import the cors package and use it as middleware in your Express application:

const express = require('express');
const cors = require('cors');

const app = express();

// Use CORS middleware

// Your routes and other middleware

By default, the cors middleware allows any origin to access your resources. This may not be ideal in a production environment, so you should configure the middleware to allow only specific origins.

Configuring CORS Middleware

To configure the cors middleware, pass an options object to the cors() function:

const corsOptions = {
  origin: 'https://example.com',
  methods: ['GET', 'POST'],
  allowedHeaders: ['Content-Type', 'Authorization'],
  credentials: true,


CORS Options

  • origin: This option specifies which origins are allowed to access your resources. You can set it to a specific domain, an array of domains, or a function to dynamically determine the allowed origins.
  • methods: This option defines the allowed HTTP methods for your resources. By default, the cors middleware allows GET, POST, PUT, PATCH, DELETE, and HEAD methods.
  • allowedHeaders: This option lists the headers that can be used in the actual request. By default, the cors middleware allows any header.
  • credentials: If this option is set to true, the server allows cookies and other credentials to be sent with the request. By default, this option is set to false.

Security Risks and Mitigation

CORS policies are crucial for maintaining the security of your application. However, misconfigurations or lax policies can lead to potential security risks. Here are some common risks and how to mitigate them:

Allowing All Origins

Allowing all origins to access your resources can expose sensitive data to malicious websites. To mitigate this risk, configure the origin option in the cors middleware to allow only trusted domains.

Exposing Sensitive Headers

By default, the cors middleware allows any header to be used in the request. However, exposing sensitive headers can lead to potential security vulnerabilities. To mitigate this risk, explicitly list the allowed headers using the allowedHeaders option.

const corsOptions = {
  // ...
  allowedHeaders: ['Content-Type', 'Authorization'],

Allowing Unnecessary HTTP Methods

Allowing unnecessary HTTP methods, such as PUT or DELETE, can increase the attack surface of your application. Limit the allowed methods using the methods option in the cors middleware:

const corsOptions = {
  // ...
  methods: ['GET', 'POST'],

CSRF Attacks

Cross-Site Request Forgery (CSRF) attacks can occur when an attacker tricks a user into performing an action on your application without their knowledge. To mitigate CSRF attacks, implement CSRF tokens, and validate them for every state-changing request.

One way to implement CSRF protection is by using the csurf middleware. First, install the package:

npm install csurf

Next, import the csurf package and use it as middleware in your Express application:

const express = require('express');
const csurf = require('csurf');

const app = express();

// Use csurf middleware

// Your routes and other middleware

With CSRF protection in place, you need to include a CSRF token in every form and AJAX request that changes the state of your application. In your templates, you can include the CSRF token as a hidden input field:

<form action="/submit" method="POST">
  <input type="hidden" name="_csrf" value="{{ csrfToken }}">
  <!-- Other form fields -->
  <button type="submit">Submit</button>

For AJAX requests, you can include the CSRF token in the request headers:

fetch('/submit', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'X-CSRF-Token': csrfToken,
  body: JSON.stringify({ /* Request data */ }),

CORS Best Practices

Following best practices for CORS configuration and security can help keep your Express application secure:

  1. Use HTTPS: Always use HTTPS to encrypt data transmitted between the client and server, as this helps prevent eavesdropping and man-in-the-middle attacks.
  2. Restrict Origins: Always restrict the allowed origins to only trusted domains and avoid using wildcards (*), which can allow any domain to access your resources.
  3. Limit Exposed Headers: Only expose necessary headers to minimize the potential attack surface.
  4. Allow Only Required Methods: Limit the allowed HTTP methods to those that are required for your application to function properly.
  5. Use CSRF Protection: Implement CSRF protection using CSRF tokens and validate them for every state-changing request.
  6. Keep Dependencies Updated: Regularly update your application dependencies, including the cors middleware, to ensure you have the latest security patches and improvements.


In this article, we have explored CORS policies and security in Node.js Express applications. We have discussed the importance of CORS, how to enable and configure CORS in Express, common security risks, and best practices to keep your applications secure. By following these guidelines, you can create robust and secure Express applications that protect your users' data and maintain a high level of security.

Mình hy vọng bạn thích bài viết này và học thêm được điều gì đó mới.

Donate mình một ly cafe hoặc 1 cây bút bi để mình có thêm động lực cho ra nhiều bài viết hay và chất lượng hơn trong tương lai nhé. À mà nếu bạn có bất kỳ câu hỏi nào thì đừng ngại comment hoặc liên hệ mình qua: Zalo - 0374226770 hoặc Facebook. Mình xin cảm ơn.

Momo: NGUYỄN ANH TUẤN - 0374226770

TPBank: NGUYỄN ANH TUẤN - 0374226770 (hoặc 01681423001)


All Rights Reserved

Let's register a Viblo Account to get more interesting posts.