Edit Page

sails.config.cors

Configuration for Sails' built-in support for Cross-Origin Resource Sharing. CORS specifies how HTTP requests to your app originating from foreign domains should be treated. It is primarily used to allow third-party sites to make AJAX requests to your app, which are normally blocked by browsers following the same-origin policy.

These options are conventionally set in the config/cors.js configuration file. Note that these settings (with the exception of allRoutes) can be changed on a per-route basis in the config/routes.js file.

Properties

Property	Default	Details
`allRoutes`	false	Indicates whether the other CORS configuration settings should apply to every route in the app by default.
`origin`	`*`	Comma-delimited list of default hosts (beginning with http:// or https://) to give access to, or `` to allow all domains CORS access. If `allRoutes` is `true` and `origin` is ``, then your app will be fully accessible to sites hosted on foreign domains (except for routes which have their own CORS settings). If `credentials` is also `true`, this means your app will be unprotected against cross-origin attacks that exploit your logged-in users. Any routes that are exposed in this way must be careful not to perform sensitive actions or return secure data!
`methods`	GET, POST, PUT, DELETE, OPTIONS, HEAD	Comma-delimited list of methods that are allowed to be used in CORS requests. This is only used in response to preflight requests, so the inclusion of GET, POST, OPTIONS and HEAD, although customary, is not necessary.
`headers`	content-type	Comma-delimited list of headers that are allowed to be sent with CORS requests. This is only used in response to preflight requests.
`exposeHeaders`	`''`	List of headers that browsers will be allowed to access. See access-control-expose-headers.
`credentials`	true	Indicates whether cookies can be shared in CORS requests.
`securityLevel`	0	Indicates how Sails should respond to requests from disallowed origins. In normal mode (0), Sails processes all requests normally, simply setting the appropriate CORS headers and leaving it to the client to determine how to handle the response. In high mode (1), Sails will send back a 403 response to requests from disallowed origins, if the origin starts with http or https. In very high mode (2), Sails will send back a 403 response to requests from disallowed origins, regardless of the origin protocol. See Security Levels in the CORS concepts documentation for more info.

Custom route config example

The following will allow cross-origin AJAX GET, PUT and POST requests to /foo/bar from sites hosted http://foobar.com and https://owlhoot.com. DELETE requests, or requests from sites on any other domains, will be blocked by the browser.

'/foo/bar': {
  target: 'FooController.bar',
  cors: {
    origin: 'http://foobar.com,https://owlhoot.com',
    methods: 'GET,PUT,POST,OPTIONS,HEAD'
  }
}

Is something missing?

If you notice something we've missed or could be improved on, please follow this link and submit a pull request to the sails-docs repo. Once we merge it, the changes will be reflected on the website the next time it is deployed.

Documentation

Reference

Built with Love

The Sails framework is maintained by a web & mobile studio in Austin, TX, with the help of our contributors. We created Sails in 2012 to assist us on Node.js projects. Naturally we open-sourced it. We hope it makes your life a little bit easier!