Skip to content

Forbid wildcard (*) CORS headers when credentials are true#400

Open
Vansh0204 wants to merge 1 commit intoexpressjs:masterfrom
Vansh0204:fix/credentials-wildcard
Open

Forbid wildcard (*) CORS headers when credentials are true#400
Vansh0204 wants to merge 1 commit intoexpressjs:masterfrom
Vansh0204:fix/credentials-wildcard

Conversation

@Vansh0204
Copy link

@Vansh0204 Vansh0204 commented Mar 17, 2026

Description

This PR addresses issue #333 by ensuring that the * wildcard is not used in Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers, or Access-Control-Expose-Headers response headers when Access-Control-Allow-Credentials is set to true, as required by the Fetch Standard.

Changes

  • Origin: If origin: '*' (default) is set and credentials: true, the middleware now reflects the Origin request header and adds Vary: Origin.
  • Methods: If methods: '*' is explicitly set and credentials: true, the Access-Control-Allow-Methods header is omitted from the response.
  • Allowed Headers: If allowedHeaders: '*' is explicitly set and credentials: true, the Access-Control-Allow-Headers header is omitted from the response.
  • Exposed Headers: If exposedHeaders: '*' is explicitly set and credentials: true, the Access-Control-Expose-Headers header is omitted from the response.

Verification

  • Added a new test file test/issue-333.js covering all the above scenarios.
  • All existing tests pass.
  • Code coverage remains at 100%.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Vansh0204