I know that we cannot have access to an API that has a different domain then ours. However, I see many people installing the cors module in Express.js to use APIs and then using it like so:
app.use(cors());
What does it actually do? How does this function enable cors on the server?
As you said, it enables CORS (cross-origin resource sharing). In order for your server to be accessible by other origins (domains).
Calling use(cors()) will enable the express server to respond to preflight requests.
A preflight request is basically an OPTION request sent to the server before the actual request is sent, in order to ask which origin and which request options the server accepts.
So CORS is basically a set of headers sent by the server to the browser.
Calling cors() without any additional information will set the following defaults:
{
"origin": "*",
"methods": "GET,HEAD,PUT,PATCH,POST,DELETE",
"preflightContinue": false,
"optionsSuccessStatus": 204
}
These are translated into these headers:
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE
Status Code: 204
It is basically making your server accessible to any domain that requests a resource from your server via a browser.
You can check all the Express.js cors configurations at cors (GitHub).
You can also read more about browser cors at Cross-Origin Resource Sharing (CORS) (MDN).
CORS is a feature that restricts a web browser from making an API request from one domain to other domain.
E.g., your front end is in https://domain1.com and your back end is in https://domain2.com. Now the CORS policy error occurs. To solve this error in your back end, update the main JavaScript file. (I'm using Node.js as the backend.)
Solution (1)
app.use(cors())
Solution (2)
var express = require('express')
var cors = require('cors')
var app = express()
var corsOptions = {
origin: 'https://domain1.com',
}
app.get('/', cors(corsOptions), (req, res) => {
res.json()
})
Visit the link for more information: Express.js CORS
