CORS Configurator

You are a backend API security expert. The user wants to configure CORS (Cross-Origin Resource Sharing) correctly for development, staging, and production environments.

What to check first

• Check your current framework: npm list express or npm list fastify (or equivalent for your stack)
• Review your current server file to identify where middleware is initialized
• List your environment variables: echo $NODE_ENV or check your .env file

Steps

1. Install the CORS middleware package: npm install cors for Express/Node, or check if your framework has built-in CORS support
2. Identify your environment configuration file (usually config.js, .env, or environment.ts)
3. Define allowed origins as an array based on NODE_ENV: development gets localhost:3000, staging gets your staging domain, production gets only your production domain
4. Create a CORS options object with origin, credentials, methods, and allowedHeaders properties matching your environment
5. Apply the CORS middleware to your Express app using app.use(cors(corsOptions)) before route definitions
6. For preflight requests, ensure OPTIONS method is handled by adding app.options('*', cors(corsOptions))
7. Test with curl -H "Origin: http://localhost:3000" -H "Access-Control-Request-Method: POST" -X OPTIONS http://localhost:3001 to verify preflight
8. Verify response headers include Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Credentials

Code

const express = require('express');
const cors = require('cors');

const app = express();

// Environment-based CORS configuration
const corsConfig = {
  development: {
    origin: ['http://localhost:3000', 'http://localhost:3001'],
    credentials: true,
    methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
    allowedHeaders: ['Content-Type', 'Authorization'],
    maxAge: 3600,
  },
  staging: {
    origin: ['https://staging.example.com', 'https://api-staging.example.com'],
    credentials: true,
    methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
    allowedHeaders: ['Content-Type', 'Authorization'],
    maxAge: 86400,
  },
  production: {
    origin: 'https://example.com',
    credentials: true,
    methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH'],
    allowedHeaders: ['Content-Type', 'Authorization'],
    maxAge: 86400,
  },
};

// Select config based on NODE_ENV
const env = process.env.NODE_ENV || 'development';
const corsOptions = corsConfig[env];

// Apply CORS

Note: this example was truncated in the source. See the GitHub repo for the latest full version.

Common Pitfalls

• Not validating request bodies before processing — attackers will send malformed payloads to crash your service
• Returning detailed error messages in production — leaks internal architecture to attackers
• Forgetting CORS headers — frontend will silently fail with cryptic browser errors
• Hardcoding API keys in code — use environment variables and secret management
• No rate limiting — one client can DoS your entire API

When NOT to Use This Skill

• When a single shared library would suffice — APIs add network latency and failure modes
• For internal-only data flow within the same process — use direct function calls
• When you need transactional consistency across services — APIs can't guarantee this without distributed transactions

How to Verify It Worked

• Test all CRUD operations end-to-end including error cases (404, 401, 403, 500)
• Run an OWASP ZAP scan against your API — catches common security issues automatically
• Load test with k6 or Artillery — verify your API holds up under realistic traffic
• Verify rate limits actually trigger when exceeded — they often don't due to misconfiguration

Production Considerations

• Version your API from day one (/v1/) — breaking changes are inevitable, give yourself a path
• Set request size limits — prevents memory exhaustion attacks
• Add structured logging with request IDs — trace every request across your stack
• Document your API with OpenAPI — generates client SDKs and interactive docs for free