I have a site —— that makes calls to an API ——. The API is written in Express, and its using CORS package to allow the requests from the site:

app.use(
    cors({
        credentials: true,
        origin: "",
    })
);

The site can be accessed via or via . As you see, in the API am allowing explicitly the requests ing from the former address, but not from the latter. So if anyone access it via the latter address the requests to the API will be rejected.

What is the usual way to solve that? Allow explicitly both and ? Or maybe there is a way to ignore the subdomain www?

Thanks in advance!

--

EDIT:

As proposed I added explicitly to the cors configuration

app.use(
    cors({
        credentials: true,
        origin: ["", ""],
    })
);

But this didn't work. As a workaround what I just did is to redirect with a rewrite condition in .htaccess file —Apache server— from www domain to non www domain.

But the question now is: why even allowing www.example didnt work? Is there any mon reason for that?

I have a site —https://example.— that makes calls to an API —https://api.example.—. The API is written in Express, and its using CORS package to allow the requests from the site:

app.use(
    cors({
        credentials: true,
        origin: "https://example.",
    })
);

The site can be accessed via https://example. or via https://www.example.. As you see, in the API am allowing explicitly the requests ing from the former address, but not from the latter. So if anyone access it via the latter address the requests to the API will be rejected.

What is the usual way to solve that? Allow explicitly both https://example. and https://www.example.? Or maybe there is a way to ignore the subdomain www?

Thanks in advance!

--

EDIT:

As proposed I added https://www.example. explicitly to the cors configuration

app.use(
    cors({
        credentials: true,
        origin: ["https://example.", "https://www.example."],
    })
);

But this didn't work. As a workaround what I just did is to redirect with a rewrite condition in .htaccess file —Apache server— from www domain to non www domain.

But the question now is: why even allowing www.example. didnt work? Is there any mon reason for that?

• javascript
• node.js
• express
• cors

Share Improve this question Follow edited Jul 5, 2019 at 8:36 asked Jul 5, 2019 at 8:11 user7499416user7499416 5

• If the site can be accessed at both https://example. and https://www.example., then in your npm-cors config, you need to explicitly allow both https://example. and https://www.example.. There’s no other way to ignore/handle https://www.example.. – sideshowbarker ♦ Commented Jul 5, 2019 at 8:19
• You can specify a regular expression like https://(www.)example. for the npm-cors ‘origin’ value, but the effect of that is gonna be the same as if you just specified an array with the explicit values. And in the end the effect is anyway going to be that the server either sends back https://example. as the explicit value, or it sends back https://www.example.. Browsers treat the value literally — unless the value is the * wildcard. And of course as an alternative to specifying allowed origins, you always have the option to specify the * wildcard for the ‘origin’ config value – sideshowbarker ♦ Commented Jul 5, 2019 at 8:25
• Ok, then I will set them explicitly. Thanks! – user7499416 Commented Jul 5, 2019 at 8:28
• Hm, setting them explicitly didn't work. As a workaround what I just did is to redirect with a rewrite condition in .htaccess file —Apache server— from www domain to non www domain. But the question now is: even allowing www.example., why didnt work? I update the question – user7499416 Commented Jul 5, 2019 at 8:35
• Have you tried using regular expressions? – ionizer Commented Jul 5, 2019 at 9:03

Add a ment  | 

2 Answers 2

Sorted by: Reset to default 2

The usual way would be to avoid having two websites on different origins with identical content.

Configure www.example. to issue an HTTP 301 redirect to example..

---

Allow explicitly both https://example. and https://www.example.?

That would work too. origin can be passed an array.

Or maybe there is a way to ignore the subdomain www?

origin can also be passed a regular expression.

You need to allow both domains. The API for doing this is a bit plicated. Basically you need to read the documentation of the CORS package:

app.use(
    cors({
        credentials: true,
        origin: function (origin callback) {
            switch (origin) {
                case "https://example.":
                case "https://www.example.":
                    callback(null, true); // allow these domains
                    break;
                default:
                    callback(new Error('Now allowed')); // block others
            }
        },
    })
);

The value of origin can only be either a string or your own custom logic implemented as a function.