cors

package module
v1.2.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 1, 2025 License: MIT Imports: 5 Imported by: 3,551

README

CORS net/http middleware

go-chi/cors is a fork of github.com/rs/cors that provides a net/http compatible middleware for performing preflight CORS checks on the server side. These headers are required for using the browser native Fetch API.

This middleware is designed to be used as a top-level middleware on the chi router. Applying with within a r.Group() or using With() will not work without routes matching OPTIONS added.

Install

go get github.com/go-chi/cors

Usage

func main() {
  r := chi.NewRouter()

  // Basic CORS
  // for more ideas, see: https://developer.github.com/v3/#cross-origin-resource-sharing
  r.Use(cors.Handler(cors.Options{
    // AllowedOrigins:   []string{"https://foo.com"}, // Use this to allow specific origin hosts
    AllowedOrigins:   []string{"https://*", "http://*"},
    // AllowOriginFunc:  func(r *http.Request, origin string) bool { return true },
    AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
    AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"},
    ExposedHeaders:   []string{"Link"},
    AllowCredentials: false,
    MaxAge:           300, // Maximum value not ignored by any of major browsers
  }))

  r.Get("/", func(w http.ResponseWriter, r *http.Request) {
    w.Write([]byte("welcome"))
  })

  http.ListenAndServe(":3000", r)
}

Credits

All credit for the original work of this middleware goes out to github.com/rs.

Documentation

Overview

cors package is net/http handler to handle CORS related requests as defined by http://www.w3.org/TR/cors/

You can configure it by passing an option struct to cors.New: 

c := cors.New(cors.Options{
    AllowedOrigins: []string{"foo.com"},
    AllowedMethods: []string{"GET", "POST", "DELETE"},
    AllowCredentials: true,
})

Then insert the handler in the chain: 

handler = c.Handler(handler)

See Options documentation for more options.

The resulting handler is a standard net/http handler.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Handler added in v1.1.1 

func Handler(options Options) func(next http.Handler) http.Handler

Handler creates a new Cors handler with passed options.

Types

type Cors 

type Cors struct {
	// Debug logger
	Log Logger
	// contains filtered or unexported fields
}

Cors http handler

func AllowAll added in v1.1.0 

func AllowAll() *Cors

AllowAll create a new Cors handler with permissive configuration allowing all origins with all standard methods with any header and credentials.

func New 

func New(options Options) *Cors

New creates a new Cors handler with the provided options.

func (*Cors) Handler 

func (c *Cors) Handler(next http.Handler) http.Handler

Handler apply the CORS specification on the request, and add relevant CORS headers as necessary.

type Logger added in v1.1.0 

type Logger interface {
	Printf(string, ...interface{})
}

Logger generic interface for logger

type Options 

type Options struct {
	// AllowedOrigins is a list of origins a cross-domain request can be executed from.
	// If the special "*" value is present in the list, all origins will be allowed.
	// An origin may contain a wildcard (*) to replace 0 or more characters
	// (i.e.: http://*.domain.com). Usage of wildcards implies a small performance penalty.
	// Only one wildcard can be used per origin.
	// Default value is ["*"]
	AllowedOrigins []string

	// AllowOriginFunc is a custom function to validate the origin. It takes the origin
	// as argument and returns true if allowed or false otherwise. If this option is
	// set, the content of AllowedOrigins is ignored.
	AllowOriginFunc func(r *http.Request, origin string) bool

	// AllowedMethods is a list of methods the client is allowed to use with
	// cross-domain requests. Default value is simple methods (HEAD, GET and POST).
	AllowedMethods []string

	// AllowedHeaders is list of non simple headers the client is allowed to use with
	// cross-domain requests.
	// If the special "*" value is present in the list, all headers will be allowed.
	// Default value is [] but "Origin" is always appended to the list.
	AllowedHeaders []string

	// ExposedHeaders indicates which headers are safe to expose to the API of a CORS
	// API specification
	ExposedHeaders []string

	// AllowCredentials indicates whether the request can include user credentials like
	// cookies, HTTP authentication or client side SSL certificates.
	AllowCredentials bool

	// MaxAge indicates how long (in seconds) the results of a preflight request
	// can be cached
	MaxAge int

	// OptionsPassthrough instructs preflight to let other potential next handlers to
	// process the OPTIONS method. Turn this on if your application handles OPTIONS.
	OptionsPassthrough bool

	// Debugging flag adds additional output to debug server side CORS issues
	Debug bool
}

Options is a configuration container to setup the CORS middleware.

Source Files

View all Source files

Directories

Path Synopsis
cors example
 cors example

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.