Skip to main content
Version: v2.x

CORS

CORS middleware for Fiber that can be used to enable Cross-Origin Resource Sharing with various options.

Signatures

func New(config ...Config) fiber.Handler

Examples

Import the middleware package that is part of the Fiber web framework

import (
  "github.com/gofiber/fiber/v2"
  "github.com/gofiber/fiber/v2/middleware/cors"
)

After you initiate your Fiber app, you can use the following possibilities:

// Initialize default config
app.Use(cors.New())

// Or extend your config for customization
app.Use(cors.New(cors.Config{
    AllowOrigins: "https://gofiber.io, https://gofiber.net",
    AllowHeaders:  "Origin, Content-Type, Accept",
}))

Using the AllowOriginsFunc function. In this example any origin will be allowed via CORS.

For example, if a browser running on http://localhost:3000 sends a request, this will be accepted and the access-control-allow-origin response header will be set to http://localhost:3000.

Note: Using this feature is discouraged in production and it's best practice to explicitly set CORS origins via AllowOrigins.

app.Use(cors.New())

app.Use(cors.New(cors.Config{
    AllowOriginsFunc: func(origin string) bool {
        return os.Getenv("ENVIRONMENT") == "development"
    },
}))

Config

// Config defines the config for middleware.
type Config struct {
    // Next defines a function to skip this middleware when returned true.
    //
    // Optional. Default: nil
    Next func(c *fiber.Ctx) bool

    // AllowOriginsFunc defines a function that will set the 'access-control-allow-origin'
    // response header to the 'origin' request header when returned true.
    // 
    // Note: Using this feature is discouraged in production and it's best practice to explicitly
    // set CORS origins via 'AllowOrigins'
    //
    // Optional. Default: nil
    AllowOriginsFunc func(origin string) bool

    // AllowOrigin defines a list of origins that may access the resource.
    //
    // Optional. Default value "*"
    AllowOrigins string

    // AllowMethods defines a list methods allowed when accessing the resource.
    // This is used in response to a preflight request.
    //
    // Optional. Default value "GET,POST,HEAD,PUT,DELETE,PATCH"
    AllowMethods string

    // AllowHeaders defines a list of request headers that can be used when
    // making the actual request. This is in response to a preflight request.
    //
    // Optional. Default value "".
    AllowHeaders string

    // AllowCredentials indicates whether or not the response to the request
    // can be exposed when the credentials flag is true. When used as part of
    // a response to a preflight request, this indicates whether or not the
    // actual request can be made using credentials.
    //
    // Optional. Default value false.
    AllowCredentials bool

    // ExposeHeaders defines a whitelist headers that clients are allowed to
    // access.
    //
    // Optional. Default value "".
    ExposeHeaders string

    // MaxAge indicates how long (in seconds) the results of a preflight request
    // can be cached.
    //
    // Optional. Default value 0.
    MaxAge int
}

Default Config

var ConfigDefault = Config{
    Next:         nil,
    AllowOriginsFunc: nil,
    AllowOrigins: "*",
    AllowMethods: strings.Join([]string{
        fiber.MethodGet,
        fiber.MethodPost,
        fiber.MethodHead,
        fiber.MethodPut,
        fiber.MethodDelete,
        fiber.MethodPatch,
    }, ","),
    AllowHeaders:     "",
    AllowCredentials: false,
    ExposeHeaders:    "",
    MaxAge:           0,
}
Last updated on by RW