@whi/cf-routing - v0.7.0
    Preparing search index...

    Interface CorsConfig<E, D>

    Configuration options for CORS behavior

    interface CorsConfig<E = unknown, D = unknown> {
        origins?:
            | string
            | string[]
            | ((ctx: CorsOriginContext<E, D>) => string | null);
        methods?: string;
        headers?: string;
        maxAge?: string;
        credentials?: boolean;
    }

    Type Parameters

    • E = unknown
    • D = unknown
    Index

    Properties

    origins? methods? headers? maxAge? credentials?

    Properties

    origins?: string | string[] | ((ctx: CorsOriginContext<E, D>) => string | null)

    Allowed origins for CORS requests.

    • If not set, Access-Control-Allow-Origin header is not added by default
    • Use '*' to allow all origins (not compatible with credentials: true)
    • Use an array of specific origins for restricted access
    • Use a function for dynamic origin validation with access to env and middleware data
    // Static origins
    origins: 'https://example.com'
    origins: ['https://app1.com', 'https://app2.com']

    // Dynamic origins with env access
    origins: ({ request, env }) => {
        const origin = request.headers.get('Origin');
        const allowed = env.ALLOWED_ORIGINS?.split(',') || [];
        return origin && allowed.includes(origin) ? origin : null;
    }
    methods?: string

    Allowed HTTP methods for CORS requests.

    'GET, POST, PUT, DELETE, OPTIONS'
    headers?: string

    Allowed headers for CORS requests.

    'Content-Type, X-API-Key, X-App-Id, Authorization'
    maxAge?: string

    Max age for preflight request caching in seconds.

    '86400' (24 hours)
    credentials?: boolean

    Whether to allow credentials (cookies, authorization headers). Note: Cannot be true when origins is '*'

    false

    Settings

    Member Visibility

    On This Page

    Properties