Advanced CORS with RegExp Support #
XyPriss provides enterprise-grade CORS (Cross-Origin Resource Sharing) configuration with powerful pattern matching capabilities. Unlike traditional CORS implementations, XyPriss supports regular expressions, mixed arrays, and complex origin validation patterns.
Overview #
The advanced CORS system allows you to define origin patterns using:
- Regular Expressions:
/^https?:\/\/localhost:\d+$/for localhost with any port - Wildcard Strings:
"localhost:*","*.example.com" - Exact Matches:
"https://production.com" - Mixed Arrays: Combine all pattern types in a single configuration
Quick Start #
import { createServer } from "xypriss";
const server = createServer({
security: {
cors: {
origin: [
// RegExp patterns (powerful and flexible)
/^localhost:\d+$/, // localhost:3000, localhost:8080, etc.
/^127\.0\.0\.1:\d+$/, // 127.0.0.1:3000, etc.
/^::1:\d+$/, // IPv6 localhost
/\.test\.com$/, // *.test.com
// String patterns (backward compatibility)
"localhost:*", // Wildcard pattern
"*.dev.example.com", // Subdomain wildcard
// Exact matches
"https://production.com",
"https://staging.example.com",
],
credentials: true,
methods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
allowedHeaders: ["Content-Type", "Authorization"],
},
},
});
server.get("/api/data", (req, res) => {
res.xJson({ message: "CORS configured successfully!" });
});
server.start();
Pattern Types #
Regular Expression Patterns #
Use JavaScript RegExp objects for complex pattern matching:
origin: [
// Match localhost with any port
/^https?:\/\/localhost:\d+$/,
// Match any subdomain of example.com
/^https?:\/\/.*\.example\.com$/,
// Match specific IP ranges
/^https?:\/\/192\.168\.1\.\d+:\d+$/,
// Match development environments
/^https?:\/\/.*\.(dev|staging|test)\.company\.com$/,
];
Wildcard String Patterns #
Traditional wildcard patterns for simple matching:
origin: [
"localhost:*", // Any port on localhost
"*.example.com", // Any subdomain
"api.*.service.com", // Complex wildcards
"192.168.1.*:3000", // IP ranges with ports
];
Exact Match Patterns #
For production environments where you want explicit control:
origin: [
"https://myapp.com",
"https://api.myapp.com",
"https://admin.myapp.com",
];
Mixed Pattern Arrays #
Combine all pattern types for maximum flexibility:
origin: [
// RegExp for development
/^localhost:\d+$/,
/^127\.0\.0\.1:\d+$/,
// Wildcards for staging
"*.staging.company.com",
// Exact matches for production
"https://production.company.com",
"https://api.production.company.com",
];
Configuration Options #
interface CORSConfig {
/** Origin patterns (strings, RegExp, or mixed arrays) */
origin?: string | string[] | RegExp | RegExp[];
/** Allow credentials in CORS requests */
credentials?: boolean;
/** Allowed HTTP methods */
methods?: string[];
/** Allowed headers */
allowedHeaders?: string[];
/** Cache duration for preflight requests (in seconds) */
maxAge?: number;
/** Expose additional headers to client */
exposedHeaders?: string[];
/** Custom success status for OPTIONS requests */
optionsSuccessStatus?: number;
}
Advanced Examples #
Development Environment #
const server = createServer({
security: {
cors: {
origin: [
// Local development
/^localhost:\d+$/,
/^127\.0\.0\.1:\d+$/,
/^0\.0\.0\.0:\d+$/,
/^::1:\d+$/, // IPv6
// Development domains
/\.dev\.company\.com$/,
/\.staging\.company\.com$/,
// Local testing tools
/^https?:\/\/localhost:\d+$/,
"http://localhost:3000",
"http://localhost:8080",
],
credentials: true,
},
},
});
Multi-Environment Configuration #
const corsOrigins =
process.env.NODE_ENV === "production"
? ["https://myapp.com", "https://api.myapp.com"]
: [
/^localhost:\d+$/,
/^127\.0\.0\.1:\d+$/,
/\.dev\.myapp\.com$/,
"https://staging.myapp.com",
];
const server = createServer({
security: {
cors: {
origin: corsOrigins,
credentials: true,
},
},
});
API Gateway Pattern #
const server = createServer({
security: {
cors: {
origin: [
// Allow all subdomains of trusted domains
/^https?:\/\/.*\.trusted-domain\.com$/,
// Specific API clients
"https://client1.com",
"https://client2.com",
// Development environments
/^localhost:\d+$/,
// IP ranges for internal services
/^https?:\/\/10\.0\.\d+\.\d+:\d+$/,
/^https?:\/\/192\.168\.\d+\.\d+:\d+$/,
],
credentials: true,
methods: ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"],
allowedHeaders: [
"Content-Type",
"Authorization",
"X-API-Key",
"X-Request-ID",
],
exposedHeaders: [
"X-RateLimit-Limit",
"X-RateLimit-Remaining",
"X-RateLimit-Reset",
],
},
},
});
Mobile App Support #
const server = createServer({
security: {
cors: {
origin: [
// Web origins
/^https?:\/\/localhost:\d+$/,
"https://myapp.com",
// Mobile app origins (custom schemes)
/^myapp:\/\//,
/^com\.company\.myapp:\/\//,
// Capacitor/Cordova origins
/^http:\/\/localhost:\d+$/, // iOS simulator
/^https?:\/\/192\.168\.1\.\d+:\d+$/, // Android emulator
/^https?:\/\/10\.0\.2\.2:\d+$/, // Android emulator alternative
],
credentials: false, // Usually false for mobile apps
methods: ["GET", "POST", "PUT", "DELETE"],
allowedHeaders: ["Content-Type", "Authorization"],
},
},
});
Route-Specific CORS #
Apply different CORS policies to different routes:
const server = createServer({
security: {
cors: {
// Default CORS for all routes
origin: "https://myapp.com",
credentials: true,
},
routeConfig: {
cors: {
// Stricter CORS for admin routes
includeRoutes: ["/admin/*"],
config: {
origin: [
"https://admin.myapp.com",
/^localhost:\d+$/, // Allow localhost for development
],
credentials: true,
},
},
},
},
});
// Public API with relaxed CORS
server.get("/api/public", (req, res) => {
res.xJson({ message: "Public API" });
});
// Admin API with strict CORS
server.get("/admin/users", (req, res) => {
res.xJson({ users: [] });
});
Security Considerations #
1. RegExp Safety #
// ✅ Safe: Specific patterns
origin: [
/^https?:\/\/localhost:\d+$/, // Specific to localhost
/^https?:\/\/.*\.trusted\.com$/, // Specific domain
];
// ❌ Dangerous: Overly permissive
origin: [
/.*/, // Matches everything!
/^https?:\/\/.*$/, // Any HTTPS site
];
2. Credential Handling #
// ✅ Secure: Credentials only for specific origins
cors: {
origin: [
"https://myapp.com", // Specific trusted origin
/^localhost:\d+$/ // Development only
],
credentials: true
}
// ❌ Insecure: Credentials for any origin
cors: {
origin: "*", // Any origin
credentials: true // Allows credentials to any site!
}
3. Header Validation #
// ✅ Restrictive headers
cors: {
allowedHeaders: ["Content-Type", "Authorization", "X-API-Key"];
}
// ❌ Permissive headers (security risk)
cors: {
allowedHeaders: ["*"]; // Allows any headers
}
Performance Optimization #
Pattern Pre-compilation #
RegExp patterns are pre-compiled for optimal performance:
// Patterns are compiled once at startup
const patterns = [
/^localhost:\d+$/, // Compiled RegExp
"*.example.com", // Converted to RegExp internally
"exact.com", // Exact string match
];
Early Termination #
The validation stops at the first matching pattern:
// Fast: Checks patterns in order until match found
for (const pattern of patterns) {
if (matches(pattern, origin)) {
return true; // Exit early on first match
}
}
Troubleshooting #
Common Issues #
-
"Origin not allowed" errors
// Check your pattern syntax origin: [ /^https?:\/\/localhost:\d+$/, // Missing ^ or $ anchors "localhost:*", // Correct wildcard syntax ]; -
RegExp not matching
// Debug with console.log const server = createServer({ security: { cors: { origin: [ (origin) => { console.log("Checking origin:", origin); return /^localhost:\d+$/.test(origin); }, ], }, }, }); -
Preflight request failures
// Ensure OPTIONS method is allowed cors: { methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'], // Include OPTIONS maxAge: 86400 // Cache preflight for 24 hours }
Debug Mode #
Enable detailed CORS logging:
const server = createServer({
logging: {
level: "debug",
components: {
security: true,
},
},
security: {
cors: {
origin: [/^localhost:\d+$/, "*.example.com"],
},
},
});
This will log:
[CORS] Checking origin: http://localhost:3000
[CORS] Pattern /^localhost:\d+$/ matched
[CORS] Access granted
Migration Guide #
From Express CORS #
// Express cors
const cors = require("cors");
app.use(
cors({
origin: function (origin, callback) {
const allowedOrigins = ["http://localhost:3000", "https://example.com"];
if (!origin || allowedOrigins.includes(origin)) {
callback(null, true);
} else {
callback(new Error("Not allowed by CORS"));
}
},
}),
);
// XyPriss equivalent
const server = createServer({
security: {
cors: {
origin: [
/^localhost:\d+$/, // More flexible than exact matches
"https://example.com",
],
},
},
});
From String Arrays #
// Old approach
cors: {
origin: ["http://localhost:3000", "http://localhost:8080", "*.example.com"];
}
// New approach with RegExp
cors: {
origin: [
/^localhost:\d+$/, // Cleaner than listing every port
/\.example\.com$/, // More precise than wildcards
];
}
Browser Compatibility #
Modern Browsers (✅ Full Support) #
- Chrome 98+
- Firefox 97+
- Safari 15.2+
- Edge 98+
Legacy Browser Considerations #
// Fallback for older browsers
const server = createServer({
security: {
cors: {
origin:
process.env.NODE_ENV === "production"
? "https://myapp.com" // Exact match for older browsers
: /^localhost:\d+$/, // RegExp for modern browsers
credentials: true,
},
},
});
Integration Examples #
SPA with API #
// Frontend (React/Vue/Angular)
const API_BASE =
process.env.NODE_ENV === "production"
? "https://api.myapp.com"
: "http://localhost:3001";
fetch(`${API_BASE}/api/data`, {
credentials: "include", // Required for CORS with credentials
});
// Backend
const server = createServer({
security: {
cors: {
origin:
process.env.NODE_ENV === "production"
? "https://myapp.com"
: /^localhost:\d+$/,
credentials: true,
},
},
});
Microservices Architecture #
// API Gateway
const gateway = createServer({
security: {
cors: {
origin: ["https://webapp.com", /^https?:\/\/.*\.internal\.company\.com$/],
credentials: true,
},
},
});
// Individual services (trust API Gateway)
const userService = createServer({
security: {
cors: {
origin: "https://api-gateway.company.com",
credentials: true,
},
},
});
Third-Party Integration #
const server = createServer({
security: {
cors: {
origin: [
// Your own domains
"https://myapp.com",
/^localhost:\d+$/,
// Third-party services
"https://api.stripe.com",
"https://www.paypal.com",
// Webhook endpoints (if needed)
/^https?:\/\/.*\.webhook\.service\.com$/,
],
credentials: false, // Usually false for third-party
},
},
});
Advanced CORS with RegExp support provides enterprise-grade origin validation while maintaining developer-friendly configuration. The mixed pattern approach allows you to use the right tool for each use case, from simple wildcards to complex regular expressions.