Cross-Origin Resource Sharing (CORS)
CORS is a mechanism that allows browser scripts on pages served from other domains (e.g. myothersite.com) to talk to your server (e.g. api.mysite.com). Like JSONP, the goal of CORS is to circumvent the same-origin policy, allowing your Sails server to successfully respond to requests from client-side JavaScript code running on a page hosted from some other domain. Unlike JSONP, it works with more than just GET requests, and it allows you to whitelist particular origins (staging.yoursite.com or yourothersite.net) and prevent requests from others (evil.com).
Sails can be configured to allow cross-origin requests from a list of domains you specify, or from every domain. This can be done on a per-route basis, or globally for every route in your app.
Enabling CORS
#For security reasons, CORS is disabled by default in Sails. But enabling it is simple.
To allow cross-origin requests from a whitelist of trusted domains to any route in your app, simply enable allRoutes and provide an origin setting in config/security.js:
cors: {
allRoutes: true,
allowOrigins: ['http://example.com','https://api.example.com','http://blog.example.com:1337','https://foo.com:8888']
}
To allow cross-origin requests from any domain to any route in your app, use allowOrigins: '*':
cors: {
allRoutes: true,
allowOrigins: '*',
allowCredentials: false
}
Note that when using allowOrigins: '*', the allowCredentials setting must be false, which means that requests containing cookies will be blocked. This restriction exists to prevent third-party sites from being able to trick your logged-in users into making unauthorized requests to your app. You can lift this restriction (at your own risk!) using the allowAnyOriginWithCredentialsUnsafe setting.
See sails.config.security.cors for a comprehensive reference of all available options.
Configuring CORS for individual routes
#In addition to the global CORS configuration in config/security.js, these settings can be configured on a per-route basis in config/routes.js.
If you set allRoutes: true in config/security.js but want to exempt a specific route, set cors: false in the route's target:
'POST /signup': {
action: 'user/signup',
cors: false
}
To enable or override global CORS configuration for a particular route, provide cors as a dictionary:
'GET /videos': {
action: 'video/find',
cors: {
allowOrigins: ['http://example.com','https://api.example.com','http://blog.example.com:1337','https://foo.com:8888'],
allowCredentials: false
}
}
Notes
#
- CORS support is only relevant for HTTP requests. Requests made via sockets are not subject to cross-origin restrictions. To ensure that your app is secure via sockets, configure the
onlyAllowOriginssetting (typically inconfig/env/production.js).- CORS is not supported in Internet Explorer 7. Fortunately, it is supported in IE8 and up, as well as in all other modern browsers.
- Read more about CORS from MDN.
- Read the CORS spec.
For a better experience on sailsjs.com, update your browser.
Concepts
Built with Love
The Sails framework is built by a web & mobile shop in Austin, TX, with the help of our contributors. We created Sails in 2012 to assist us on Node.js projects. Naturally we open-sourced it. We hope it makes your life a little bit easier!
© 2012-2025 The Sails Company.
The Sails framework is free and open-source under the MIT License.
Illustrations by Edamame.