schangxiang@126.com
2025-09-19 df5675b4e548eff2dbab6c780b173c346551f508
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# egg-cors
 
[![NPM version][npm-image]][npm-url]
[![build status][travis-image]][travis-url]
[![Test coverage][codecov-image]][codecov-url]
[![David deps][david-image]][david-url]
[![Known Vulnerabilities][snyk-image]][snyk-url]
[![npm download][download-image]][download-url]
 
[npm-image]: https://img.shields.io/npm/v/egg-cors.svg?style=flat-square
[npm-url]: https://npmjs.org/package/egg-cors
[travis-image]: https://img.shields.io/travis/eggjs/egg-cors.svg?style=flat-square
[travis-url]: https://travis-ci.org/eggjs/egg-cors
[codecov-image]: https://codecov.io/github/eggjs/egg-cors/coverage.svg?branch=master
[codecov-url]: https://codecov.io/github/eggjs/egg-cors?branch=master
[david-image]: https://img.shields.io/david/eggjs/egg-cors.svg?style=flat-square
[david-url]: https://david-dm.org/eggjs/egg-cors
[snyk-image]: https://snyk.io/test/npm/egg-cors/badge.svg?style=flat-square
[snyk-url]: https://snyk.io/test/npm/egg-cors
[download-image]: https://img.shields.io/npm/dm/egg-cors.svg?style=flat-square
[download-url]: https://npmjs.org/package/egg-cors
 
[CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS) plugin for egg, based on [@koa/cors](https://github.com/koajs/cors).
 
## Install
 
```bash
$ npm i egg-cors --save
```
 
## Usage
 
```js
// {app_root}/config/plugin.js
exports.cors = {
  enable: true,
  package: 'egg-cors',
};
```
 
`egg-cors` works internally with [egg-security](https://github.com/eggjs/egg-security). By defining the property of `domainWhiteList` on object `security`, you have successfully informed the framework to whitelist the passed domains.
 
When you make a request from client side, **egg** should return an `Access-Control-Allow-Origin` response header with the domain that you passed in along with the payload and status code *200*.
 
```js
exports.security = {
  domainWhiteList: [ 'http://localhost:4200' ],
};
```
 
## Configuration
 
Support all configurations in [@koa/cors](https://github.com/koajs/cors).
 
```js
// {app_root}/config/config.default.js
exports.cors = {
  // {string|Function} origin: '*',
  // {string|Array} allowMethods: 'GET,HEAD,PUT,POST,DELETE,PATCH'
};
```
 
If the `origin` is set, the plugin will follow it to set the `Access-Control-Allow-Origin` and ignore the `security.domainWhiteList`. Otherwise, the `security.domainWhiteList` which is default will take effect as described above.
 
## Security
 
Only in safe domain list support CORS when security plugin enabled.
 
## Questions & Suggestions
 
Please open an issue [here](https://github.com/eggjs/egg/issues).
 
## License
 
[MIT](LICENSE)