Skip to content

feat: support route-level CORS configuration #384

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

feat: support route-level CORS configuration #384

wants to merge 7 commits into from

Conversation

@vimutti77
Copy link

@vimutti77 vimutti77 commented Aug 20, 2025
edited
Loading

Checklist

This PR adds support for configuring CORS on a per-route basis via config.cors. This allows developers to override or disable CORS behavior for specific routes, while still using the global plugin configuration as a default.

const fastify = require('fastify')()

fastify.register(require('@fastify/cors'), { origin: 'https://example.com' })

fastify.get('/cors-enabled', (_req, reply) => {
  reply.send('CORS headers applied')
})

fastify.get('/cors-allow-all', {
  config: {
    cors: {
      origin: '*', // Allow all origins for this route
    },
  },
}, (_req, reply) => {
  reply.send('Custom CORS headers applied')
})

fastify.get('/cors-disabled', {
  config: {
    cors: false, // Disable CORS for this route
  },
}, (_req, reply) => {
  reply.send('No CORS headers')
})

fastify.listen({ port: 3000 })

@Fdawgs Fdawgs requested a review from Copilot November 6, 2025 20:10
Copilot AI reviewed Nov 6, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for route-level CORS configuration overrides, allowing developers to customize or disable CORS on a per-route basis using the config.cors option.

  • Implemented route-level CORS configuration merging with global settings
  • Added comprehensive test coverage for route-level overrides
  • Updated documentation with clear examples of the new feature

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
index.js Modified addCorsHeadersHandler to merge global and route-level CORS options, enabling per-route customization
test/cors.test.js Added test case validating route-level CORS configuration including default inheritance, custom overrides, and disabling
README.md Updated documentation with examples demonstrating route-level CORS configuration patterns
Comments suppressed due to low confidence (1)

index.js:183

  • The check for cors: false happens too late in the execution flow. When req.routeOptions.config?.cors === false, the code should skip CORS processing entirely, but currently:
  1. Line 160 attempts to merge options (spreading false is a no-op, so this doesn't work correctly)
  2. Line 168 evaluates and potentially wraps the origin function
  3. Line 170 calls the origin resolver (which could be an expensive function call or async operation)
  4. Only at line 181 does it check if CORS should be disabled

This means for routes with cors: false, unnecessary work is done. The check should be moved before line 160 to avoid this:

// Check if CORS is disabled for this route
if (req.routeOptions.config?.cors === false) {
  return next()
}

const options = { ...globalOptions, ...(typeof req.routeOptions.config?.cors === 'object' ? req.routeOptions.config.cors : {}) }
function addCorsHeadersHandler (fastify, globalOptions, req, reply, next) {
  const options = { ...globalOptions, ...req.routeOptions.config?.cors }

  if ((typeof options.origin !== 'string' && options.origin !== false) || options.dynamic) {
    // Always set Vary header for non-static origin option
    // https://fetch.spec.whatwg.org/#cors-protocol-and-http-caches
    addOriginToVaryHeader(reply)
  }

  const resolveOriginOption = typeof options.origin === 'function' ? resolveOriginWrapper(fastify, options.origin) : (_, cb) => cb(null, options.origin)

  resolveOriginOption(req, (error, resolvedOriginOption) => {
    if (error !== null) {
      return next(error)
    }

    // Disable CORS and preflight if false
    if (resolvedOriginOption === false) {
      return next()
    }

    // Allow routes to disable CORS individually
    if (req.routeOptions.config?.cors === false) {
      return next()
    }

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@vimutti77
Update README.md
059dc3d 
Co-authored-by: Copilot <[email protected]>
Signed-off-by: Vantroy <[email protected]>
Eomm
Eomm reviewed Nov 8, 2025
View reviewed changes
@Eomm
chore: Update README.md
3cafefa 
Signed-off-by: Manuel Spigolon <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Eomm Eomm Eomm left review comments

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vimutti77 @Eomm