Wildcard CORS Support
XyPriss now supports wildcard patterns in CORS origin configurations, making it easier to handle multiple domains and ports during development and production.
Overview
The wildcard CORS feature allows developers to specify flexible origin patterns instead of listing every possible URL. This is particularly useful for:
- Development environments with multiple ports
- Microservices running on different ports
- Subdomain-based applications
- Dynamic port allocation in containerized environments
Supported Patterns
Port Wildcards
localhost:*- Matches any port on localhost127.0.0.1:*- Matches any port on 127.0.0.1::1:*- Matches any port on IPv6 localhost
Subdomain Wildcards
*.example.com- Matches any subdomain of example.com*.api.myapp.com- Matches any subdomain of api.myapp.com
Usage Examples
Basic Configuration
import { createServer } from "xypriss";
const app = createServer({
security: {
cors: {
origin: [
"localhost:*", // Allow any localhost port
"127.0.0.1:*", // Allow any 127.0.0.1 port
"*.myapp.com" // Allow any subdomain
]
}
}
});
Development vs Production
const isDevelopment = process.env.NODE_ENV === 'development';
const app = createServer({
security: {
cors: {
origin: isDevelopment
? [
"localhost:*",
"127.0.0.1:*",
"::1:*"
]
: [
"https://app.mycompany.com",
"https://admin.mycompany.com"
]
}
}
});
Mixed Patterns
const app = createServer({
security: {
cors: {
origin: [
"localhost:*", // Development
"https://app.example.com", // Exact production URL
"*.staging.example.com" // Staging subdomains
]
}
}
});
Pattern Matching Rules
URL Processing
- Full URLs are parsed to extract host:port
- Default ports are handled automatically (80 for HTTP, 443 for HTTPS)
- IPv6 addresses are properly processed (brackets removed for matching)
Examples of Matches
| Pattern | Matches | Doesn't Match |
|---|---|---|
localhost:* | http://localhost:3000<br>https://localhost:8080 | http://example.com:3000 |
*.test.com | https://api.test.com<br>https://app.test.com | https://test.com<br>https://malicious.com |
127.0.0.1:* | http://127.0.0.1:3000<br>https://127.0.0.1:8443 | http://localhost:3000 |
Advanced Configuration
With Credentials and Methods
const app = createServer({
security: {
cors: {
origin: ["localhost:*", "*.myapp.com"],
credentials: true,
methods: ["GET", "POST", "PUT", "DELETE"],
allowedHeaders: ["Content-Type", "Authorization"]
}
}
});
Using Middleware API
import { createServer } from "xypriss";
const app = createServer();
app.middleware({
cors: {
origin: ["localhost:*", "127.0.0.1:*"],
credentials: true
}
});
Security Considerations
Production Best Practices
- Be Specific: Use exact domains in production when possible
- Avoid Overly Broad Patterns:
*allows all origins - use specific wildcards - Validate Subdomains: Ensure you control all subdomains when using
*.domain.com
Development vs Production
// ✅ Good - Specific patterns
const corsConfig = {
origin: process.env.NODE_ENV === 'production'
? ["https://app.mycompany.com", "https://admin.mycompany.com"]
: ["localhost:*", "127.0.0.1:*"]
};
// ❌ Avoid - Too permissive for production
const corsConfig = {
origin: "*" // Allows ALL origins
};
Implementation Details
Automatic Detection
XyPriss automatically detects when wildcard patterns are used in the origin array and switches to custom pattern matching.
Performance
- Pattern compilation is done once during server initialization
- Regex matching is optimized for common patterns
- No performance impact when wildcards aren't used
Backward Compatibility
- Existing exact-match origins continue to work unchanged
- Mixed arrays (exact + wildcard) are fully supported
- Standard CORS options remain the same
Testing
Unit Tests
The wildcard functionality includes comprehensive tests covering:
- Port wildcard matching
- Subdomain wildcard matching
- IPv6 address handling
- Default port handling
- Edge cases and error conditions
Integration Testing
// Test wildcard CORS in your application
describe('CORS Wildcard', () => {
test('should allow localhost with any port', async () => {
const response = await request(app)
.options('/api/test')
.set('Origin', 'http://localhost:3000')
.expect(200);
expect(response.headers['access-control-allow-origin'])
.toBe('http://localhost:3000');
});
});
Migration Guide
From Exact Origins
Before:
cors: {
origin: [
"http://localhost:3000",
"http://localhost:3001",
"http://localhost:8080"
]
}
After:
cors: {
origin: ["localhost:*"]
}
From Permissive CORS
Before:
cors: {
origin: true // Allows all origins
}
After:
cors: {
origin: [
"localhost:*",
"127.0.0.1:*",
"*.yourdomain.com"
]
}
Troubleshooting
Common Issues
-
Pattern Not Matching
- Ensure the pattern syntax is correct
- Check if the origin includes protocol (http/https)
- Verify IPv6 addresses are properly formatted
-
Still Getting CORS Errors
- Check browser developer tools for the exact origin being sent
- Verify the pattern matches the origin format
- Ensure credentials settings match your request
Debug Mode
Enable debug logging to see CORS pattern matching:
const app = createServer({
logging: {
level: 'debug'
},
security: {
cors: {
origin: ["localhost:*"]
}
}
});
Changelog
Version 2.3.4
- ✅ Added wildcard pattern support for CORS origins
- ✅ Support for port wildcards (
localhost:*,127.0.0.1:*,::1:*) - ✅ Support for subdomain wildcards (
*.example.com) - ✅ Automatic pattern detection and switching
- ✅ Comprehensive test coverage
- ✅ Full backward compatibility