Interface: CorsOptions
Defined in: src/types/cors/Options.ts:13
Properties
allowedHeaders?
optionalallowedHeaders:string|string[]
Defined in: src/types/cors/Options.ts:55
Name
allowedHeaders
Description
Defines the headers that are allowed in the request. This corresponds to the Access-Control-Allow-Headers header. It can be:
- A comma-separated string (e.g., 'Content-Type, Authorization')
- An array of strings (e.g., ['Content-Type', 'Authorization'])
- Undefined to allow all headers requested by the client
See
MDN: Access-Control-Allow-Headers
credentials?
optionalcredentials:boolean
Defined in: src/types/cors/Options.ts:80
Name
credentials
Description
Indicates whether the request can include user credentials like cookies, HTTP authentication, or client-side SSL certificates. This sets the Access-Control-Allow-Credentials header.
- If true, credentials are allowed
- If false or undefined, credentials are not allowed
See
MDN: Access-Control-Allow-Credentials
exposedHeaders?
optionalexposedHeaders:string|string[]
Defined in: src/types/cors/Options.ts:69
Name
exposedHeaders
Description
Lists the headers exposed to the browser. This sets the Access-Control-Expose-Headers header. This is used to allow the client to read certain headers from the response. It can be:
- A comma-separated string (e.g., 'X-Custom-Header')
- An array of strings (e.g., ['X-Custom-Header'])
- Undefined to expose no additional headers
See
MDN: Access-Control-Expose-Headers
maxAge?
optionalmaxAge:number
Defined in: src/types/cors/Options.ts:91
Name
maxAge
Description
Specifies how long (in seconds) the results of a preflight request can be cached. This sets the Access-Control-Max-Age header.
- A number representing the cache duration in seconds
- Undefined to not specify a max age
See
methods?
optionalmethods:string|string[]
Defined in: src/types/cors/Options.ts:42
Name
methods
Description
Specifies the HTTP methods allowed when accessing the resource. This sets the Access-Control-Allow-Methods header. It can be:
- A comma-separated string (e.g., 'GET, POST')
- An array of strings (e.g., ['GET', 'POST'])
- Undefined to allow all standard methods
Default
'GET, HEAD, PUT, PATCH, POST, DELETE'
See
MDN: Access-Control-Allow-Methods
optionsSuccessStatus?
optionaloptionsSuccessStatus:number
Defined in: src/types/cors/Options.ts:111
Name
optionsSuccessStatus
Description
Sets the HTTP status code sent for successful OPTIONS preflight requests.
- Typically set to 204 (No Content)
- Can be customized for legacy browsers that require a different status code (e.g., 200)
Default
204
origin?
optionalorigin:StaticOrigin|CustomOrigin
Defined in: src/types/cors/Options.ts:28
Name
origin
Default
'*'
Description
Configures the Access-Control-Allow-Origin CORS header. This determines which origins are allowed to access the resource. It can be:
- A string representing a specific origin (e.g., 'https://example.com')
- An asterisk (*) to allow all origins
- A function for custom logic to determine the allowed origin
- Undefined to default to '*'
See
MDN: Access-Control-Allow-Origin
preflightContinue?
optionalpreflightContinue:boolean
Defined in: src/types/cors/Options.ts:101
Name
preflightContinue
Description
Determines if the middleware should pass the preflight request to the next handler.
- If true, the next middleware will handle the OPTIONS request
- If false or undefined, the middleware responds directly to the preflight request
Default
false