Facebook Pixel

How do you whitelist specific origins for CORS?

const allowedOrigins = ['https://myapp.com', 'https://admin.myapp.com']; if (allowedOrigins.includes(req.headers.origin)) res.header('Access-Control-Allow-Origin', req.headers.origin);

Verify This Answer

Cross-check this information using these trusted sources:

More FAQs in CORS Security Best Practices

For public APIs without credentials, yes. For APIs with credentials (cookies, auth), no. Use the specific origin instead. The wildcard allows any website to make requests, which can be a security risk for authenticated APIs.

No. Only allow the methods you actually use. If your API only uses GET and POST, do not include PUT, DELETE, PATCH. This reduces the attack surface.

A header that tells the browser how long to cache the preflight result. Setting it to 3600 (1 hour) means the browser does not send a new OPTIONS request for that URL for 1 hour, reducing overhead.

Still have questions?

Browse all our FAQs or reach out to our support team

Want to upskill yourself?

Our courses are taking a Coffee break, but your curiosity shouldn't. Stay engaged with namastedev linkedin, youtube, discord and other resources while you wait.

0
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.