Logo

Wildcard CORS Support

XyPriss supports flexible CORS (Cross-Origin Resource Sharing) configuration with powerful wildcard patterns, making it easier to handle multiple domains and ports during development and production.

Supported Patterns

Port Wildcards
  • localhost:* - Any port on localhost
  • 127.0.0.1:* - Any port on 127.0.0.1
  • ::1:* - Any port on IPv6 localhost
Subdomain Wildcards
  • *.example.com - Any subdomain of example.com
  • *.api.myapp.com - Any subdomain of api.myapp.com

Basic Configuration

Specify flexible origin patterns in your server options. XyPriss automatically detects wildcard patterns and applies the appropriate validation logic.

typescript
import { createServer } from "xypriss";

const app = createServer({
    security: {
        cors: {
            origin: [
                "localhost:*", // Allow any localhost port
                "127.0.0.1:*", // Allow any 127.0.0.1 port
                "*.myapp.com", // Allow any subdomain
                "https://app.prod.com", // Exact production URL
            ],
            credentials: true,
            methods: ["GET", "POST", "PUT", "DELETE"],
            allowedHeaders: ["Content-Type", "Authorization"],
        },
    },
});

Pattern Matching Rules

PatternMatchesDoesn't Match
localhost:*http://localhost:3000
https://localhost:8080		http://example.com:3000
*.test.comhttps://api.test.com
https://app.test.com		https://test.com
https://malicious.com
127.0.0.1:*http://127.0.0.1:3000http://localhost:3000

Development vs Production

typescript
const isDevelopment = __sys__.__env__.isDevelopment();

const app = createServer({
    security: {
        cors: {
            origin: isDevelopment
                ? ["localhost:*", "127.0.0.1:*", "::1:*"]
                : ["https://app.mycompany.com", "https://admin.mycompany.com"],
        },
    },
});

Security Best Practices

Production Safety: Be specific. Use exact domains in production when possible. Avoid overly broad patterns like * which allows ALL origins.
Pattern Compilation

Patterns are compiled once during server initialization. XyPriss handles default ports (80/443) and IPv6 address formatting automatically.

Compatibility

Exact-match origins continue to work unchanged. Mixed arrays containing both exact and wildcard patterns are fully supported.

Rate Limiting

Prevent abuse and DDoS attacks by limiting requests per IP.