Wildcard CORS Support
XyPriss supports flexible CORS (Cross-Origin Resource Sharing) configuration with powerful wildcard patterns, making it easier to handle multiple domains and ports during development and production.
Supported Patterns
localhost:*- Any port on localhost127.0.0.1:*- Any port on 127.0.0.1::1:*- Any port on IPv6 localhost
*.example.com- Any subdomain of example.com*.api.myapp.com- Any subdomain of api.myapp.com
Basic Configuration
Specify flexible origin patterns in your server options. XyPriss automatically detects wildcard patterns and applies the appropriate validation logic.
import { createServer } from "xypriss";
const app = createServer({
security: {
cors: {
origin: [
"localhost:*", // Allow any localhost port
"127.0.0.1:*", // Allow any 127.0.0.1 port
"*.myapp.com", // Allow any subdomain
"https://app.prod.com", // Exact production URL
],
credentials: true,
methods: ["GET", "POST", "PUT", "DELETE"],
allowedHeaders: ["Content-Type", "Authorization"],
},
},
});Pattern Matching Rules
| Pattern | Matches | Doesn't Match |
|---|---|---|
| localhost:* | http://localhost:3000 https://localhost:8080 | http://example.com:3000 |
| *.test.com | https://api.test.com https://app.test.com | https://test.com https://malicious.com |
| 127.0.0.1:* | http://127.0.0.1:3000 | http://localhost:3000 |
Development vs Production
const isDevelopment = __sys__.__env__.isDevelopment();
const app = createServer({
security: {
cors: {
origin: isDevelopment
? ["localhost:*", "127.0.0.1:*", "::1:*"]
: ["https://app.mycompany.com", "https://admin.mycompany.com"],
},
},
});Security Best Practices
* which allows ALL origins.Pattern Compilation
Patterns are compiled once during server initialization. XyPriss handles default ports (80/443) and IPv6 address formatting automatically.
Compatibility
Exact-match origins continue to work unchanged. Mixed arrays containing both exact and wildcard patterns are fully supported.
Advanced: Regex Origin Patterns
XyPriss supports regular expressions in the origin property, giving you fine-grained control over which origins are allowed. Regex patterns are compiled once at server startup and evaluated against the full origin string (scheme + host + optional port).
import { createServer } from "xypriss";
const app = createServer({
security: {
cors: {
origin: [
/^https:\/\/.*\.myapp\.com$/, // All subdomains of myapp.com
/^https:\/\/admin\.myapp\.com$/, // Exact admin subdomain (also matches regex above)
"https://app.prod.com", // Exact match
],
credentials: true,
methods: ["GET", "POST", "PUT", "DELETE"],
allowedHeaders: ["Content-Type", "Authorization"],
},
},
});Regex Matching Examples
| Pattern | Matches | Doesn't Match |
|---|---|---|
| /^https:\/\/.*\.myapp\.com$/ | https://app.myapp.com, https://api.myapp.com:8443 | https://myapp.com (no subdomain), http://evil.myapp.com |
| /^https:\/\/admin\.myapp\.com$/ | https://admin.myapp.com | https://api.myapp.com |
| localhost:\* | http://localhost:3000, https://localhost:8080 | http://example.com:3000 |
Mixed Array: Exact, Wildcard, and Regex
You can freely mix exact strings, wildcard strings, and RegExp objects in the same origin array. XyPriss evaluates each entry in order and accepts the request if any pattern matches.
origin: [
"https://app.prod.com", // Exact match
/^https:\/\/.*\.myapp\.com$/, // Regex: any subdomain
"localhost:*", // Wildcard: any localhost port
/^https:\/\/10\.0\.\d+\.\d+/, // Regex: internal IP range
]/.*/ or /^https:\/\/.*$/ essentially allows all HTTPS origins, defeating the purpose of CORS. Always anchor your regex (^ and $) and include the scheme (https://) to prevent bypasses.Prevent abuse and DDoS attacks by limiting requests per IP.