Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -234,6 +234,11 @@ app.listen(80, function () {
* `preflightContinue`: Pass the CORS preflight response to the next handler.
* `optionsSuccessStatus`: Provides a status code to use for successful `OPTIONS` requests, since some legacy browsers (IE11, various SmartTVs) choke on `204`.

> [!WARNING]
> **Avoid combining `origin: true` with `credentials: true`:** `origin: true` reflects whatever value is sent in the request's `Origin` header back as `Access-Control-Allow-Origin`, so it
> ends up authorizing *every* origin, not just one. Paired with `Access-Control-Allow-Credentials: true`, that means any website can make credentialed (cookie-bearing) requests to your API
and read the response. If you need to support multiple specific origins with credentials, use an array, a `RegExp`, or a function for the `origin` option instead.

The default configuration is the equivalent of:

```json
Expand Down