CORS
Enable cross-origin resource sharing for your API routes.
Cross-Origin Resource Sharing (CORS) controls which domains can access your API. The plugin includes built-in CORS support that handles preflight requests and response headers automatically.
Quick setup
Enable permissive CORS (all origins allowed):
export default {
cors: true
}export default {
cors: true
}This sets Access-Control-Allow-Origin: * and handles OPTIONS preflight requests with a 204 response.
Origin allowlist
Restrict access to specific origins:
export default {
cors: {
origins: ['https://myapp.com', 'http://localhost:5173']
}
}export default {
cors: {
origins: ['https://myapp.com', 'http://localhost:5173']
}
}The server checks the Origin header against the allowlist. If it matches, the origin is echoed back in Access-Control-Allow-Origin. Non-matching origins receive no CORS headers.
Credentials
Enable cookies and authorization headers:
export default {
cors: {
origins: ['https://myapp.com'],
credentials: true
}
}export default {
cors: {
origins: ['https://myapp.com'],
credentials: true
}
}When credentials is true, you must specify explicit origins. The wildcard '*' cannot be used with credentials per the CORS specification.
What the plugin handles
When CORS is enabled, the plugin automatically:
- Sets
Access-Control-Allow-Originbased on the requesting origin - Sets
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS - Sets
Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With - Responds to
OPTIONSpreflight requests with 204 (no content) - Sets
Access-Control-Allow-Credentials: truewhen credentials are enabled
Configuration reference
Prop
Type