Does Express disable CORS by default?

If you don't enable the CORS middleware, your server responses will not contain CORS headers, and browsers will fall back to the standard same-origin policy (i.e. only scripts on the same protocol, domain and port can access it).

Note that none of this is enforced on the server side, though - CORS simply provides information to the browser to allow it to make decisions, and there's nothing stopping a browser implementation from simply ignoring the CORS headers or the same-origin policy. For example, HTTP clients like Postman will usually disregard CORS entirely, as it's not relevant to them.

CORS only comes into play in browsers, only when a webpage from a different domain tries to access your resource. You can mannually check the origin header in the ctx (without using any prebuilt middleware)

 const origin = ctx.get('origin'); //check if you want to allow this origin //if you want to allow it, ctx.set('Access-Control-Allow-Origin', origin); //else do not set the header or set it something else ctx.set('Access-Control-Allow-Origin', 'blahblah.com');

The browser will first send OPTIONS request to server to see if it allows the current origin, if not the browser does not continue to make the original request. If you look into the source for https://github.com/expressjs/cors, this is roughly what it does.

If you do not put these headers in response, the browser will falback to the same origin policy.