You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
origin: * (v4 and before: the request's Origin header). This means that by default the requests from all origin webpages will be allowed.
If you're running a generic API server, this is what you want, but otherwise you should look into changing the default to something more
suitable to your application.
/** * CORS middleware * * @param {Object} [options] * - {String|Function(ctx)} origin `Access-Control-Allow-Origin`, default is '*' * If `credentials` set and return `true, the `origin` default value will set to the request `Origin` header * - {String|Array} allowMethods `Access-Control-Allow-Methods`, default is 'GET,HEAD,PUT,POST,DELETE,PATCH' * - {String|Array} exposeHeaders `Access-Control-Expose-Headers` * - {String|Array} allowHeaders `Access-Control-Allow-Headers` * - {String|Number} maxAge `Access-Control-Max-Age` in seconds * - {Boolean|Function(ctx)} credentials `Access-Control-Allow-Credentials`, default is false. * - {Boolean} keepHeadersOnError Add set headers to `err.header` if an error is thrown * - {Boolean} secureContext `Cross-Origin-Opener-Policy` & `Cross-Origin-Embedder-Policy` headers.', default is false * - {Boolean} privateNetworkAccess handle `Access-Control-Request-Private-Network` request by return `Access-Control-Allow-Private-Network`, default to false * @return {Function} cors middleware * @api public */
Breaking change between 4.0 and 5.0
The default origin is set to *, if you want to keep the 4.0 behavior, you can set the origin handler like this:
