How to: enable CORS in express.js (node.js)

Express.js is one of the most popular node.js frameworks for serving websites or building APIs. This article is about how to enable Cross Origin Resource Sharing, also known as CORS. For that we need to set the correct headers in the response, which allow a browser to make use of the data from any domain.

Visit the demo project on github. A complete example is at the bottom of this post.

Update: You can also use the cors module (via reddit comments)

CORS exists for security reasons and to limit which resources a browser can gain access to, from another website. Let’s say our site exists at and we want the JavaScript files on that site to access, we can’t do that unless the server at allows it.

If we try an AJAX/xmlhttprequest to a file like that, we get an error message from the console in our browser.

Chrome, Chromium:

XMLHttpRequest cannot load http://localhost:3000. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.


Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:3000. (Reason: CORS header 'Access-Control-Allow-Origin' missing).

The CORS rules apply to the same hostname and are also bound to the same port. So if I had an HTML file with JavaScript served by http://localhost:3001 it would not be allowed to load things from http://localhost:3000.

To allow exactly that to happend and have our client side code separate from our server and just make it load data, like with frameworks like Angular, Ember, Backbone or the like, we can use the following middleware function in express before we define our routes:

app.use(function(req, res, next) {
  res.header("Access-Control-Allow-Origin", "*");
  res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");

That’s it! Now you can access your route from any other domain or even from an HTML file that’s just sitting on your computer, without being served by the same or any other web server.

Limit CORS to specific routes

If you only want to serve some routes to clients of all origins, you should set the res.headers specifically for these routes and omit the next(), but just send your response, like in the following example:

app.use(function(req, res, next) {
  res.header("Access-Control-Allow-Origin", "*");
  res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
  res.json({data: [1,2,3,4]})

With this method you can limit the Cross Origin Resource Sharing headers to specific routes of your API in express.js.


Now we’ve been through enabling CORS with node.js and Express.js, which enables you to build an API that can be reached from any browser in the world and not only through the JavaScript files you server from your domain, great job!

If you have any feedback to this guide, please let me know in the comments or one of the various social media channels. Also you can always drop me a mail at something @ this domain dot com.

A complete example of the technique described here can be found at the Demo project on github or just try the paste below:

var express = require('express');

var app = express();
app.use(function(req, res, next) {
  res.header("Access-Control-Allow-Origin", "*");
  res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");

app.get('/', function (req, res) {
  var data = {
    "bestAnimals": [
      "puffer fish",


var server = app.listen(3000, function () {

  var host = server.address().address;
  var port = server.address().port;

  console.log('Example app listening at http://%s:%s', host, port);


Thank you for reading! If you have any comments, additions or questions, please leave them in the form below! You can also tweet them at me

If you want to read more like this, follow me on feedly or other rss readers

14 thoughts on “How to: enable CORS in express.js (node.js)”

  1. it dose not work for me.

    i added the header above the routes in app.js file, reloaded the project and still getting the error.

  2. I add the above code to my app. But I’m still getting the following error.
    “XMLHttpRequest cannot load localhost:3000/auth/login. Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-extension, https.”
    What might have gone wrong?

  3. I return a specific token “loggerToken” in my response header after every request that is being served. I am not able to retrieve this token at frontend. Please suggest how to allow headers in the response. I am using CORS npm module.

    Below is the config code.
    var corsConfig = {
    exposedHeaders: ‘loggerToken’

  4. How can I have error handling when setting the headers in case something goes wrong?
    I try to use app.use(function(err, req, res, next) instead of app.use(function(req, res, next) to set the headers but got errors in runtime complaining preflight request doesn’t pass access control check.

  5. Hi, I’m using next.js and trying to authenticate a user through google auth and passport. Everything is working as expected if I type the url ‘/api/auth/google’ in the address bar. However if I create a function that uses axios to visit that url in the background, I get a cors issue, origin null. Even though I have cors setup on the server. Is the problem that you can’t do an Ajax call with a redirect?

Leave a Reply

Your email address will not be published. Required fields are marked *