How to enable cross-origin resource sharing (CORS) in the express.js framework on node.js

Check out the example from enable-cors.org:

In your ExpressJS app on node.js, do the following with your routes:

app.all('/', function(req, res, next) {  res.header("Access-Control-Allow-Origin", "*");  res.header("Access-Control-Allow-Headers", "X-Requested-With");  next(); });app.get('/', function(req, res, next) {  // Handle the get for this route});app.post('/', function(req, res, next) { // Handle the post for this route});

The first call (app.all) should be made before all the other routes in your app (or at least the ones you want to be CORS enabled).

[Edit]

If you want the headers to show up for static files as well, try this (make sure it's before the call to use(express.static()):

app.use(function(req, res, next) {  res.header("Access-Control-Allow-Origin", "*");  res.header("Access-Control-Allow-Headers", "X-Requested-With");  next();});

I tested this with your code, and got the headers on assets from the public directory:

var express = require('express')  , app = express.createServer();app.configure(function () {    app.use(express.methodOverride());    app.use(express.bodyParser());    app.use(function(req, res, next) {      res.header("Access-Control-Allow-Origin", "*");      res.header("Access-Control-Allow-Headers", "X-Requested-With");      next();    });    app.use(app.router);});app.configure('development', function () {    app.use(express.static(__dirname + '/public'));    app.use(express.errorHandler({ dumpExceptions: true, showStack: true }));});app.configure('production', function () {    app.use(express.static(__dirname + '/public'));    app.use(express.errorHandler());});app.listen(8888);console.log('express running at http://localhost:%d', 8888);

You could, of course, package the function up into a module so you can do something like

// cors.jsmodule.exports = function() {  return function(req, res, next) {    res.header("Access-Control-Allow-Origin", "*");    res.header("Access-Control-Allow-Headers", "X-Requested-With");    next();  };}// server.jscors = require('./cors');app.use(cors());

Following @Michelle Tilley solution, apparently it didn't work for me at first. Not sure why, maybe I am using chrome and different version of node. After did some minor tweaks, it is working for me now.

app.all('*', function(req, res, next) {  res.header('Access-Control-Allow-Origin', '*');  res.header('Access-Control-Allow-Methods', 'PUT, GET, POST, DELETE, OPTIONS');  res.header('Access-Control-Allow-Headers', 'Content-Type');  next();});

In case someone facing similar issue as mine, this might be helpful.

Try to this cors npm modules.

var cors = require('cors')var app = express()app.use(cors())

This module provides many features to fine tune cors setting such as domain whitelisting, enabling cors for specific apis etc.