rs / cors

Go net/http configurable handler to handle CORS requests
MIT License
2.68k stars 220 forks source link

Go CORS handler godoc license Go Coverage

CORS is a net/http handler implementing Cross Origin Resource Sharing W3 specification in Golang.

Getting Started

After installing Go and setting up your GOPATH, create your first .go file. We'll call it server.go.

package main

import (
    "net/http"

    "github.com/rs/cors"
)

func main() {
    mux := http.NewServeMux()
    mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
        w.Header().Set("Content-Type", "application/json")
        w.Write([]byte("{\"hello\": \"world\"}"))
    })

    // cors.Default() setup the middleware with default options being
    // all origins accepted with simple methods (GET, POST). See
    // documentation below for more options.
    handler := cors.Default().Handler(mux)
    http.ListenAndServe(":8080", handler)
}

Install cors:

go get github.com/rs/cors

Then run your server:

go run server.go

The server now runs on localhost:8080:

$ curl -D - -H 'Origin: http://foo.com' http://localhost:8080/
HTTP/1.1 200 OK
Access-Control-Allow-Origin: foo.com
Content-Type: application/json
Date: Sat, 25 Oct 2014 03:43:57 GMT
Content-Length: 18

{"hello": "world"}

Allow * With Credentials Security Protection

This library has been modified to avoid a well known security issue when configured with AllowedOrigins to * and AllowCredentials to true. Such setup used to make the library reflects the request Origin header value, working around a security protection embedded into the standard that makes clients to refuse such configuration. This behavior has been removed with #55 and #57.

If you depend on this behavior and understand the implications, you can restore it using the AllowOriginFunc with func(origin string) {return true}.

Please refer to #55 for more information about the security implications.

More Examples

Parameters

Parameters are passed to the middleware thru the cors.New method as follow:

c := cors.New(cors.Options{
    AllowedOrigins: []string{"http://foo.com", "http://foo.com:8080"},
    AllowCredentials: true,
    // Enable Debugging for testing, consider disabling in production
    Debug: true,
})

// Insert the middleware
handler = c.Handler(handler)

See API documentation for more info.

Benchmarks

goos: darwin
goarch: arm64
pkg: github.com/rs/cors
BenchmarkWithout-10             135325480            8.124 ns/op           0 B/op          0 allocs/op
BenchmarkDefault-10             24082140            51.40 ns/op        0 B/op          0 allocs/op
BenchmarkAllowedOrigin-10       16424518            88.25 ns/op        0 B/op          0 allocs/op
BenchmarkPreflight-10            8010259           147.3 ns/op         0 B/op          0 allocs/op
BenchmarkPreflightHeader-10      6850962           175.0 ns/op         0 B/op          0 allocs/op
BenchmarkWildcard/match-10      253275342            4.714 ns/op           0 B/op          0 allocs/op
BenchmarkWildcard/too_short-10  1000000000           0.6235 ns/op          0 B/op          0 allocs/op
PASS
ok      github.com/rs/cors  99.131s

Licenses

All source code is licensed under the MIT License.