### Install @elysia/cors Source: https://github.com/elysiajs/elysia-cors/blob/main/README.md Install the @elysia/cors package using bun. ```bash bun add @elysia/cors ``` -------------------------------- ### Elysia CORS: Full Production Configuration Example Source: https://context7.com/elysiajs/elysia-cors/llms.txt Demonstrates a complete, strict CORS setup suitable for a production API with specific allowed origins, restricted methods, explicit headers, and optimized preflight caching. ```typescript import { Elysia } from 'elysia' import { cors, type CORSConfig } from '@elysia/cors' const corsConfig: CORSConfig = { origin: [ 'https://app.example.com', 'https://admin.example.com', /^https:\/\/.*\.preview\.example\.com$/ ], methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'], allowedHeaders: ['Content-Type', 'Authorization', 'X-Request-ID'], exposeHeaders: ['X-Total-Count', 'X-Request-ID'], credentials: true, maxAge: 3600, preflight: true } const app = new Elysia() .use(cors(corsConfig)) .get('/users', () => [{ id: 1, name: 'Alice' }]) .post('/users', ({ body }) => ({ created: true, body })) .listen(8080) console.log('Server running at http://localhost:8080') // Example preflight for cross-origin POST: // OPTIONS /users HTTP/1.1 // Origin: https://app.example.com // Access-Control-Request-Method: POST // Access-Control-Request-Headers: Content-Type, Authorization // // HTTP/1.1 204 No Content // Access-Control-Allow-Origin: https://app.example.com // Access-Control-Allow-Methods: POST // Access-Control-Allow-Headers: Content-Type, Authorization // Access-Control-Expose-Headers: X-Total-Count, X-Request-ID // Access-Control-Allow-Credentials: true // Access-Control-Max-Age: 3600 ``` -------------------------------- ### Basic Elysia CORS Setup Source: https://github.com/elysiajs/elysia-cors/blob/main/README.md Integrate the cors plugin into an Elysia application to enable CORS support. This basic setup accepts all origins and methods by default. ```typescript import { Elysia } from 'elysia' import { cors } from '@elysia/cors' const app = new Elysia() .use(cors()) .listen(8080) ``` -------------------------------- ### Configure Credentials with `credentials` Source: https://context7.com/elysiajs/elysia-cors/llms.txt Allow cookies and authorization headers in cross-origin requests by setting `Access-Control-Allow-Credentials: true`. Defaults to true. ```typescript import { Elysia } from 'elysia' import { cors } from '@elysia/cors' // Enable credentials (default) const app = new Elysia() .use(cors({ credentials: true })) .get('/profile', () => ({ user: 'Alice' })) .listen(3000) // → Access-Control-Allow-Credentials: true ``` ```typescript // Disable credentials const publicApp = new Elysia() .use(cors({ credentials: false })) .get('/public', () => 'public data') // → Access-Control-Allow-Credentials header is omitted ``` -------------------------------- ### methods Source: https://context7.com/elysiajs/elysia-cors/llms.txt Sets the `Access-Control-Allow-Methods` header. When `true` (default) the plugin mirrors the method of the incoming request. Accepts `'*'`, a single `HTTPMethod` string, an array of `HTTPMethod` values, or `false`/`null`/`''` to omit the header entirely. ```APIDOC ## methods ### Description Sets the `Access-Control-Allow-Methods` header. When `true` (default) the plugin mirrors the method of the incoming request. Accepts `'*'`, a single `HTTPMethod` string, an array of `HTTPMethod` values, or `false`/`null`/`''` to omit the header entirely. ### Configuration Options 1. **Mirror request method**: Default behavior when `methods: true`. ```typescript new Elysia() .use(cors({ methods: true })) .get('/', () => 'GET endpoint') .post('/', () => 'POST endpoint') // GET / → Access-Control-Allow-Methods: GET // POST / → Access-Control-Allow-Methods: POST ``` 2. **Allow all methods via wildcard**: ```typescript new Elysia().use(cors({ methods: '*' })) // → Access-Control-Allow-Methods: * ``` 3. **Restrict to an explicit list**: ```typescript new Elysia() .use(cors({ methods: ['GET', 'POST', 'DELETE'] })) .get('/', () => 'ok') // → Access-Control-Allow-Methods: GET, POST, DELETE ``` 4. **Disable the header entirely**: ```typescript new Elysia().use(cors({ methods: false })) ``` ``` -------------------------------- ### preflight Source: https://context7.com/elysiajs/elysia-cors/llms.txt Automatic OPTIONS preflight handling. When true (default), the plugin registers OPTIONS route handlers for preflight requests. It also intercepts OPTIONS requests in the onRequest lifecycle hook. Set to false to manage OPTIONS yourself. ```APIDOC ## `preflight` — Automatic OPTIONS preflight handling When `true` (default), the plugin registers `OPTIONS /` and `OPTIONS /*` route handlers that respond with `HTTP 204 No Content` and all configured CORS headers. The plugin also intercepts `OPTIONS` requests in the `onRequest` lifecycle hook to ensure preflight works even when a catch-all `.all()` handler is registered. ### Example Usage: ```typescript // Enable preflight (default) — OPTIONS returns 204 const app = new Elysia() .use(cors({ preflight: true })) .get('/', () => 'Hello') .listen(3000) // Manual OPTIONS request: // OPTIONS / HTTP/1.1 // Origin: https://example.com // Access-Control-Request-Method: GET // → HTTP/1.1 204 No Content // → Access-Control-Allow-Origin: https://example.com // → Access-Control-Allow-Methods: GET // → Access-Control-Max-Age: 5 // Works alongside .all() handlers without conflict new Elysia() .use(cors()) .all('/', () => 'catch-all handler') // OPTIONS / → 204 (CORS preflight, not routed to .all()) // GET / → 200 'catch-all handler' with CORS headers // Disable preflight (manage OPTIONS yourself) new Elysia() .use(cors({ preflight: false })) .options('/', () => new Response(null, { status: 204 })) ``` ``` -------------------------------- ### Configure Automatic OPTIONS Preflight Handling with `preflight` Source: https://context7.com/elysiajs/elysia-cors/llms.txt When true (default), the plugin registers OPTIONS route handlers for preflight requests. It also intercepts OPTIONS requests in the `onRequest` hook to ensure preflight works with catch-all handlers. ```typescript import { Elysia } from 'elysia' import { cors } from '@elysia/cors' // Enable preflight (default) — OPTIONS returns 204 const app = new Elysia() .use(cors({ preflight: true })) .get('/', () => 'Hello') .listen(3000) ``` ```typescript // Works alongside .all() handlers without conflict new Elysia() .use(cors()) .all('/', () => 'catch-all handler') // OPTIONS / → 204 (CORS preflight, not routed to .all()) // GET / → 200 'catch-all handler' with CORS headers ``` ```typescript // Disable preflight (manage OPTIONS yourself) new Elysia() .use(cors({ preflight: false })) .options('/', () => new Response(null, { status: 204 })) ``` -------------------------------- ### cors(config?: CORSConfig) Source: https://context7.com/elysiajs/elysia-cors/llms.txt Registers the CORS plugin on an Elysia app. When called with no arguments, all origins are accepted, all methods are mirrored, all headers are mirrored, credentials are allowed, and preflight handling is enabled. ```APIDOC ## cors(config?: CORSConfig) ### Description Registers the CORS plugin on an Elysia app. When called with no arguments all origins are accepted, all methods are mirrored, all headers are mirrored, credentials are allowed, and preflight handling is enabled. ### Method ```typescript .use(cors()) ``` ### Parameters - **config** (CORSConfig) - Optional - Configuration object for CORS settings. ### Request Example ```typescript import { Elysia } from 'elysia' import { cors } from '@elysia/cors' const app = new Elysia() .use(cors()) .get('/', () => 'Hello World') .listen(8080) ``` ### Response Example ``` // Response headers set by plugin: // Access-Control-Allow-Origin: https://saltyaom.com // Access-Control-Allow-Methods: GET // Access-Control-Allow-Headers: origin // Access-Control-Expose-Headers: origin // Access-Control-Allow-Credentials: true ``` ``` -------------------------------- ### Configure Allowed Request Headers with `allowedHeaders` Source: https://context7.com/elysiajs/elysia-cors/llms.txt Specify which request headers are permitted. Defaults to mirroring all incoming request headers. Accepts a comma-delimited string, a string array, or true. ```typescript import { Elysia } from 'elysia' import { cors } from '@elysia/cors' // Mirror all incoming request headers (default) new Elysia().use(cors({ allowedHeaders: true })) ``` ```typescript // Allow a single header new Elysia() .use(cors({ allowedHeaders: 'Content-Type' })) .post('/upload', ({ body }) => body) // → Access-Control-Allow-Headers: Content-Type ``` ```typescript // Allow multiple headers via array new Elysia() .use(cors({ allowedHeaders: ['Content-Type', 'Authorization', 'X-Request-ID'] })) .get('/secure', () => 'secured') // → Access-Control-Allow-Headers: Content-Type, Authorization, X-Request-ID ``` ```typescript // Allow multiple headers via comma-delimited string new Elysia().use(cors({ allowedHeaders: 'Content-Type, Authorization' })) ``` -------------------------------- ### Configure Exposed Response Headers with `exposeHeaders` Source: https://context7.com/elysiajs/elysia-cors/llms.txt Specify which response headers are exposed to the browser. Defaults to exposing all response headers. Accepts a string, string array, or true. ```typescript import { Elysia } from 'elysia' import { cors } from '@elysia/cors' // Expose all response headers (default) new Elysia().use(cors({ exposeHeaders: true })) ``` ```typescript // Expose a single custom header new Elysia() .use(cors({ exposeHeaders: 'X-Total-Count' })) .get('/items', () => ({ items: [] })) // → Access-Control-Expose-Headers: X-Total-Count ``` ```typescript // Expose multiple headers new Elysia() .use(cors({ exposeHeaders: ['X-Total-Count', 'X-Page', 'X-Powered-By'] })) .get('/paginated', () => ({ data: [] })) // → Access-Control-Expose-Headers: X-Total-Count, X-Page, X-Powered-By ``` -------------------------------- ### Configure Preflight Cache Duration with `maxAge` Source: https://context7.com/elysiajs/elysia-cors/llms.txt Sets the `Access-Control-Max-Age` header on preflight responses to cache preflight results. Defaults to 5 seconds. Set to 0 or omit to disable caching. ```typescript import { Elysia } from 'elysia' import { cors } from '@elysia/cors' // Cache preflight for 1 hour const app = new Elysia() .use(cors({ maxAge: 3600 })) .get('/', () => 'ok') .listen(3000) // OPTIONS preflight → Access-Control-Max-Age: 3600 ``` ```typescript // Disable preflight caching new Elysia().use(cors({ maxAge: 0 })) // → Access-Control-Max-Age header is omitted ``` -------------------------------- ### Apply CORS Plugin with Default Settings Source: https://context7.com/elysiajs/elysia-cors/llms.txt Registers the CORS plugin with default permissive settings. All origins are accepted, methods and headers are mirrored, and credentials are allowed. ```typescript import { Elysia } from 'elysia' import { cors } from '@elysia/cors' const app = new Elysia() .use(cors()) .get('/', () => 'Hello World') .listen(8080) // Request from browser: // GET / HTTP/1.1 // Origin: https://saltyaom.com // // Response headers set by plugin: // Access-Control-Allow-Origin: https://saltyaom.com // Access-Control-Allow-Methods: GET // Access-Control-Allow-Headers: origin // Access-Control-Expose-Headers: origin // Access-Control-Allow-Credentials: true ``` -------------------------------- ### allowedHeaders Source: https://context7.com/elysiajs/elysia-cors/llms.txt Specify which request headers are permitted. Mirrors request headers by default, accepts a comma-delimited string, a string array, or true. ```APIDOC ## `allowedHeaders` — Specify which request headers are permitted Sets the `Access-Control-Allow-Headers` header. When `true` (default) the plugin mirrors the headers present on the request. Accepts a comma-delimited `string`, a `string[]`, or `true`. ### Example Usage: ```typescript // Mirror all incoming request headers (default) new Elysia().use(cors({ allowedHeaders: true })) // Allow a single header new Elysia() .use(cors({ allowedHeaders: 'Content-Type' })) .post('/upload', ({ body }) => body) // → Access-Control-Allow-Headers: Content-Type // Allow multiple headers via array new Elysia() .use(cors({ allowedHeaders: ['Content-Type', 'Authorization', 'X-Request-ID'] })) .get('/secure', () => 'secured') // → Access-Control-Allow-Headers: Content-Type, Authorization, X-Request-ID // Allow multiple headers via comma-delimited string new Elysia().use(cors({ allowedHeaders: 'Content-Type, Authorization' })) ``` ``` -------------------------------- ### Configure Allowed HTTP Methods with CORS Source: https://context7.com/elysiajs/elysia-cors/llms.txt Set the `Access-Control-Allow-Methods` header. Supports mirroring the request method, wildcard, explicit lists, or disabling the header. ```typescript new Elysia() .use(cors({ methods: true })) .get('/', () => 'GET endpoint') .post('/', () => 'POST endpoint') // GET / → Access-Control-Allow-Methods: GET // POST / → Access-Control-Allow-Methods: POST ``` ```typescript new Elysia().use(cors({ methods: '*' })) // → Access-Control-Allow-Methods: * ``` ```typescript new Elysia() .use(cors({ methods: ['GET', 'POST', 'DELETE'] })) .get('/', () => 'ok') // → Access-Control-Allow-Methods: GET, POST, DELETE ``` ```typescript new Elysia().use(cors({ methods: false })) ``` -------------------------------- ### exposeHeaders Source: https://context7.com/elysiajs/elysia-cors/llms.txt Specify which response headers are exposed to the browser. Makes non-simple headers accessible to XMLHttpRequest or fetch. Defaults to exposing all headers, accepts a string, string array, or true. ```APIDOC ## `exposeHeaders` — Specify which response headers are exposed to the browser Sets the `Access-Control-Expose-Headers` header, making non-simple headers accessible to the browser's `XMLHttpRequest` or `fetch`. When `true` (default) all response headers are exposed. Accepts a `string`, `string[]`, or `true`. ### Example Usage: ```typescript // Expose all response headers (default) new Elysia().use(cors({ exposeHeaders: true })) // Expose a single custom header new Elysia() .use(cors({ exposeHeaders: 'X-Total-Count' })) .get('/items', () => ({ items: [] })) // → Access-Control-Expose-Headers: X-Total-Count // Expose multiple headers new Elysia() .use(cors({ exposeHeaders: ['X-Total-Count', 'X-Page', 'X-Powered-By'] })) .get('/paginated', () => ({ data: [] })) // → Access-Control-Expose-Headers: X-Total-Count, X-Page, X-Powered-By ``` ``` -------------------------------- ### credentials Source: https://context7.com/elysiajs/elysia-cors/llms.txt Allow cookies and authorization headers in cross-origin requests. Sets `Access-Control-Allow-Credentials: true` when enabled, which is required for sending cookies or Authorization headers. Defaults to true. ```APIDOC ## `credentials` — Allow cookies and authorization headers in cross-origin requests Sets the `Access-Control-Allow-Credentials: true` header when enabled, which is required by browsers to send cookies or `Authorization` headers with cross-origin requests. Defaults to `true`. ### Example Usage: ```typescript // Enable credentials (default) const app = new Elysia() .use(cors({ credentials: true })) .get('/profile', () => ({ user: 'Alice' })) .listen(3000) // → Access-Control-Allow-Credentials: true // Disable credentials const publicApp = new Elysia() .use(cors({ credentials: false })) .get('/public', () => 'public data') // → Access-Control-Allow-Credentials header is omitted ``` ``` -------------------------------- ### origin Source: https://context7.com/elysiajs/elysia-cors/llms.txt Controls the `Access-Control-Allow-Origin` header. Accepts a `boolean`, `string`, `RegExp`, a predicate `Function`, or an array of any of these. When `true` (default) any origin is echoed back. When `false` or unmatched, the header is omitted. ```APIDOC ## origin ### Description Controls the `Access-Control-Allow-Origin` header. Accepts a `boolean`, `string`, `RegExp`, a predicate `Function`, or an array of any of these. When `true` (default) any origin is echoed back. When `false` or unmatched, the header is omitted. ### Configuration Options 1. **Boolean `true`**: Allow all origins (reflect request Origin). ```typescript new Elysia().use(cors({ origin: true })) ``` 2. **Exact string match**: Protocol-aware, strict matching. ```typescript new Elysia().use(cors({ origin: 'https://example.com' })) ``` 3. **RegExp**: Allow any domain matching the regular expression. ```typescript new Elysia().use(cors({ origin: /\.com$/g })) // ✅ https://example.com → Access-Control-Allow-Origin: https://example.com // ❌ https://example.org → header omitted ``` 4. **Custom function**: A predicate function to determine origin validity. ```typescript new Elysia().use(cors({ origin: (request: Request) => { const origin = request.headers.get('Origin') ?? '' return origin.endsWith('.trusted.io') } })) ``` 5. **Array of mixed validators**: Accepts the origin if ANY validator passes. ```typescript new Elysia() .use(cors({ origin: ['https://app.example.com', /\.staging\.example\.com$/g, () => false] })) .get('/', () => 'OK') .listen(3000) ``` ``` -------------------------------- ### maxAge Source: https://context7.com/elysiajs/elysia-cors/llms.txt Cache preflight response duration. Sets the `Access-Control-Max-Age` header on preflight responses, indicating how many seconds browsers can cache the preflight result. Defaults to 5. Set to 0 or omit to disable caching. ```APIDOC ## `maxAge` — Cache preflight response duration Sets the `Access-Control-Max-Age` header on preflight responses, telling browsers how many seconds they may cache the preflight result before issuing a new OPTIONS request. Defaults to `5`. Set to `0` or omit to disable caching. ### Example Usage: ```typescript // Cache preflight for 1 hour const app = new Elysia() .use(cors({ maxAge: 3600 })) .get('/', () => 'ok') .listen(3000) // OPTIONS preflight → Access-Control-Max-Age: 3600 // Disable preflight caching new Elysia().use(cors({ maxAge: 0 })) // → Access-Control-Max-Age header is omitted ``` ``` -------------------------------- ### Custom CORS Origin Function Source: https://github.com/elysiajs/elysia-cors/blob/main/README.md Configure custom logic for the Access-Control-Allow-Origin header using a function. The function receives the request context and should return a boolean to indicate acceptance. ```typescript app.use(cors, { origin: ({ request, headers }) => true }) ``` -------------------------------- ### Elysia CORS: Ahead-of-Time Compilation Toggle Source: https://context7.com/elysiajs/elysia-cors/llms.txt Controls whether Elysia uses AOT optimizations for the CORS plugin. Disable for dynamic plugin configurations that change at runtime. Defaults to true. ```typescript import { Elysia } from 'elysia' import { cors } from '@elysia/cors' // AOT enabled (default) — best performance new Elysia().use(cors({ aot: true })) // AOT disabled — use for dynamic runtime configurations new Elysia().use(cors({ aot: false, origin: computedOriginAtRuntime })) ``` -------------------------------- ### Restrict Allowed Origins with CORS Source: https://context7.com/elysiajs/elysia-cors/llms.txt Configure the `Access-Control-Allow-Origin` header using various validators. Supports boolean, string, RegExp, function, or an array of these. ```typescript new Elysia().use(cors({ origin: true })) ``` ```typescript new Elysia().use(cors({ origin: 'https://example.com' })) ``` ```typescript new Elysia().use(cors({ origin: /\.com$/g })) // ✅ https://example.com → Access-Control-Allow-Origin: https://example.com // ❌ https://example.org → header omitted ``` ```typescript new Elysia().use(cors({ origin: (request: Request) => { const origin = request.headers.get('Origin') ?? '' return origin.endsWith('.trusted.io') } })) ``` ```typescript new Elysia() .use(cors({ origin: ['https://app.example.com', /\.staging\.example\.com$/g, () => false] })) .get('/', () => 'OK') .listen(3000) ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.