Learn CORS In 6 Minutes
Summary
TLDRThis video tutorial explains how to resolve CORS errors in web development. It demonstrates using a simple script and server setup with Express, illustrating how to fix CORS by setting the 'Access-Control-Allow-Origin' header. The video shows how to use the 'cors' library in Express to allow requests from specific origins or any origin. It also covers handling preflight 'OPTIONS' requests for methods like PUT and DELETE, and how to enable the sending of cookies with CORS by setting the 'Access-Control-Allow-Credentials' header.
Takeaways
- π οΈ CORS stands for Cross-Origin Resource Sharing, and it's a mechanism that uses additional HTTP headers to tell browsers to allow a web application to request resources from a different domain than the one from which the first resource was served.
- π« A common CORS error occurs when a web application tries to fetch data from a server on a different port or domain, and the server does not have the appropriate CORS headers set.
- π§ To fix CORS errors, you need to set the 'Access-Control-Allow-Origin' header on the server to specify which origins are allowed to access the server's resources.
- π The script example in the video demonstrates a simple Express server setup that listens on port 3000 and how to configure it to allow requests from a client running on port 5500.
- π By default, browsers only allow requests to the same origin. If you need to make requests to a different origin, you must specify the allowed origins using the CORS headers.
- π The 'cors' library in Node.js is used to simplify the process of setting CORS headers in Express applications.
- π When making requests like PUT or DELETE, browsers send an 'OPTIONS' preflight request first to check if the actual request method is allowed by the server.
- π The 'cors' library allows you to specify which methods are allowed by setting the 'methods' property in the configuration.
- πͺ If you need to send cookies with a request (include credentials), you must set the 'Access-Control-Allow-Credentials' header to 'true' on the server.
- π The video provides a comprehensive guide to handling CORS errors and securing web applications by controlling which origins and methods are allowed.
- π For further reading and related security videos, resources are provided in the video description.
Q & A
What is the main issue the video script is addressing?
-The video script is addressing the issue of CORS (Cross-Origin Resource Sharing) errors that occur when trying to make requests from one origin to another, and how to fix them.
What is CORS and why is it important?
-CORS is a security feature implemented by browsers to restrict web pages from making requests to a different domain than the one that served the web page. It's important for security reasons to prevent malicious websites from making unauthorized requests to other domains.
What is the 'Access-Control-Allow-Origin' header and why is it necessary?
-The 'Access-Control-Allow-Origin' header is an HTTP response header that specifies which origins are permitted to read the response. It is necessary to allow requests from different origins to access the resources on the server.
How does the video demonstrate a CORS error?
-The video demonstrates a CORS error by showing an attempt to fetch data from localhost:3000 from a client running on localhost:5500, resulting in an error message stating that 'No 'Access-Control-Allow-Origin' header is present on the requested resource.'
What library is suggested to handle CORS in an Express server?
-The library suggested to handle CORS in an Express server is 'cors', which can be installed using npm.
What is the purpose of the 'methods' option in the 'cors' library?
-The 'methods' option in the 'cors' library is used to specify an array of HTTP methods that are allowed when making requests from different origins.
What is an 'OPTIONS' request and why is it used?
-An 'OPTIONS' request is a preflight request used by the browser to determine whether the actual request is allowed by the server. It is used for methods like PUT or DELETE to check if the server allows these types of requests.
How can you allow any origin to access your server resources using the 'cors' library?
-You can allow any origin to access your server resources by setting the 'origin' parameter in the 'cors' library to '*'.
What does the 'include' option do when set to 'credentials'?
-The 'include' option, when set to 'credentials', allows the request to include credentials such as cookies, authorization headers, or TLS client certificates.
How do you handle CORS when dealing with cookies?
-To handle CORS with cookies, you need to set the 'Access-Control-Allow-Credentials' header to 'true' on the server side, and include the 'credentials' option in the 'cors' library configuration.
What additional resources are provided for further learning about CORS?
-The video offers links to more security-related videos and a full written version of the video in the description below for further learning about CORS.
Outlines
π οΈ Understanding CORS Errors and Solutions
The paragraph discusses the common issue of CORS (Cross-Origin Resource Sharing) errors in web development. The speaker shares a personal anecdote about frequently encountering these errors and then realizing how to fix them. A simple example is provided where a client-side script tries to fetch data from a server but fails due to a CORS error. The error message indicates that no 'Access-Control-Allow-Origin' header is present on the requested resource. The speaker explains that to fix CORS, one must allow requests from different origins by setting the appropriate headers. A library called 'cors' is introduced to help set these headers in an Express server. Before and after scenarios are discussed, showing how setting the 'Access-Control-Allow-Origin' header allows data to be fetched successfully. The importance of matching the origin in the header to the actual URL making the request is highlighted, and the concept of allowing any origin by using a '*' is also explained.
π Fine-Tuning CORS with Methods and Credentials
This paragraph delves into more advanced CORS configurations, such as controlling which HTTP methods are allowed for cross-origin requests. By default, the 'cors' library allows all methods, but the speaker demonstrates how to restrict this to only 'GET' and 'POST' requests, effectively disallowing 'PUT' requests. The concept of 'OPTIONS' requests, which are preflight requests for 'PUT', 'DELETE', and other non-simple methods, is introduced. The paragraph explains how to respond to these preflight requests by setting the 'Access-Control-Allow-Methods' header. The speaker also covers how to handle cookies and credentials in CORS requests. By default, cookies are not sent with cross-origin requests, but this can be enabled by setting the 'Access-Control-Allow-Credentials' header to 'true'. The paragraph concludes with a mention of additional security-related videos and a written version of the content available in the description, thanking viewers for their time.
Mindmap
Keywords
π‘CORS
π‘Access-Control-Allow-Origin
π‘Express
π‘Middleware
π‘Origin
π‘Preflight Request
π‘Options Request
π‘Access-Control-Allow-Methods
π‘Access-Control-Allow-Credentials
π‘Credentials
π‘npmi
Highlights
Introduction to CORS errors and how they can be fixed.
Explanation of a simple CORS error example with a script file accessing a server.
Description of the error message indicating the absence of an Access-Control-Allow-Origin header.
Explanation of how Access-Control-Allow-Origin header allows requests from different origins.
Demonstration of setting the header inside Express using the CORS library.
Before and after comparison of CORS error resolution.
Clarification that the default allowed origin is the same origin.
Instructions on specifying allowed origins for cross-origin requests.
Example of fixing CORS by setting the Access-Control-Allow-Origin header to localhost:5500.
Mistake of setting the origin to localhost:5500 instead of 127.0.0.1 and its correction.
Solution to allow any origin by setting the Access-Control-Allow-Origin to a star (*).
Discussion on the limitations of CORS with PUT requests and the need for OPTIONS preflight requests.
Explanation of how to handle OPTIONS preflight requests and the Access-Control-Allow-Methods header.
Demonstration of restricting allowed methods to GET and POST using the CORS library.
Example of how to allow PUT requests by including them in the allowed methods.
Introduction to the concept of sending cookies with CORS and the need for Access-Control-Allow-Credentials header.
Instruction on setting the Access-Control-Allow-Credentials header to true to enable cookie transmission.
Conclusion and summary of the key points about CORS.
Invitation to check out more security-related videos and a written version of the video.
Transcripts
00:00we have technology
00:07it didn't work
00:08[Music]
00:11that used to be me every single time i
00:14ran into a
00:15error until i realized just how easy it
00:17is to fix these errors
00:19so in this video i'm going to show you
00:20everything you need to know about course
00:22so you never have to run into these
00:23types of errors
00:24here's a quick example of a course error
00:27as you can see i just have a simple
00:28script file that's running on my client
00:30it's accessing our server trying to get
00:32some data and it's trying to print that
00:34data out and on our server you can see
00:35we have that data response
00:37we're just using express to set up the
00:38server listening on port 3000
00:41and as you can see when we're trying to
00:42fetch from localhost 5500
00:45to localhost 3000 it's saying that we
00:47cannot fetch that because of course
00:49and it's saying that no access control
00:51allow origin header is present on the
00:52requested resource
00:54and that tells you exactly what you need
00:56to do to fix cores
00:57in order to allow a request to go from
01:00one origin to another so for example
01:02localhost port 5500 to localhost 3000
01:05we need to tell the browser hey we allow
01:08requests to come from other urls
01:10and this is what the access control
01:12allow origin allows us to do it says
01:14where do you allow requests to come from
01:16so our server is telling our client
01:18hey these are the allowed urls that are
01:20able to access us
01:21by default the only allowed url is the
01:24same origin that you come from so we can
01:25make requests from our current origin
01:27but when you're trying to make requests
01:28from a different origin you need to
01:30specify the origins that are allowed
01:32now in order to do this setting of the
01:34header inside of express
01:35we're going to be using a library called
01:36cores to do that and i'll show you the
01:38before and after of what happens
01:39we go to the network tab here we can see
01:41that this data request is being made
01:43and if i just try to come in here and
01:44look at the different headers you can
01:46see that my response headers has nothing
01:48to do with that application
01:50or access control allow origins you can
01:52see it doesn't exist anywhere inside of
01:54here
01:54but if we install that coors library so
01:56we say npmi
01:57cores that's just going to install those
01:59for express there's a million different
02:01ways to do this depending on what
02:02library you're using so if you're using
02:03express it's going to be this course
02:05library
02:05if you're using like python or go
02:07there's going to be their own library or
02:08you can manually set the headers on your
02:10own
02:10but we can just say app.use course and
02:13this is a function
02:14and the first thing we're going to pass
02:15to it is our origin and this is the
02:17origin of the client that we allow
02:19which we know is just localhost 5500
02:23so now if i just make sure that i take
02:26cores and require
02:27that cores library and i save you can
02:30see that
02:31if we go over to our console we're still
02:32getting that request error and that's
02:34because this origin has a value of
02:35localhost 5500
02:37but it's not equal to 127.0.0.1 because
02:40that's our actual url
02:42so let's say 127.0.0.1
02:45now when we save you can see it actually
02:46prints out the data instead of giving us
02:48a course error
02:49if we come in here let's just make sure
02:50we refresh all this open up our data and
02:52you can see we have an access control
02:54allow origin
02:55and it has the actual url that we're
02:57trying to make the request
02:58from so our server is saying hey you
03:00know what if you're coming from this
03:01you know origin then we allow any
03:03request to come up
03:05but let's say this is 5501 that's now a
03:08different origin
03:09so now we're getting that error because
03:10it's saying hey you know what you're not
03:11equal to the allowable origins
03:13also if you want to allow any origin at
03:15all just put a star inside of here
03:18and now if we save this with just a star
03:21you can see that the data is coming
03:22through just fine
03:23and that's because our axis allowed
03:24origins here we come in here our access
03:27control
03:27origin is for every single thing it's
03:29because we have a star here
03:31now this works great when it comes to
03:32things like git and post request this is
03:34going to solve all of your problems for
03:36cores immediately
03:37but if you need to do something like a
03:38put request so if we change this to a
03:40put
03:41and then inside of here we just make our
03:44method
03:46a put method well now we actually have
03:50a different problem that we're going to
03:51run into you'll notice we come in here
03:52let's just
03:53change this back to http
03:58127.0.0.1 port 550
04:01and we click save here and we go to our
04:03console you notice it's printing
04:04everything out just fine
04:05if we go over to our network tab though
04:07and we go to this other section you're
04:08going to notice we also have these
04:10things called
04:10options request and options request is
04:12essentially a preflight request
04:14whenever we do something like a put or
04:16we do something like a delete
04:17we're going to need to do this options
04:19request to make sure we're allowed to do
04:20this put in this delete and if we scroll
04:22down to the response headers you'll see
04:24this access control request method
04:26it's saying hey i want to make a put
04:27request am i allowed to do that
04:29and if you scroll up you're going to see
04:31that we also respond with access control
04:32allowed methods and by default this is
04:34returning everything git head put patch
04:36post delete so it's saying we're allowed
04:37to do all these different types of
04:38things
04:39well inside of course we can actually
04:41change our methods so we can just say
04:43methods
04:44we can pass in an array so we could say
04:45you know what only allow git
04:47and post request no put no none of that
04:50now when i save and i go to the console
04:51we're getting a coors error and that's
04:53because we're trying to use the method
04:54put
04:55but it's not being allowed if we go to
04:56that options you can see that we only
04:58are allowing git
04:59and post and that doesn't match the put
05:01that we're trying to actually do a
05:02request
05:03on we can use this method to fine tune
05:05what different things we allow
05:07other urls to actually do by default
05:09it's allowing everything with this
05:10course library but we could say you know
05:12only do git and post and no puts are
05:14going to be allowed
05:14or we could remove that and now if this
05:16will actually successfully work because
05:18put
05:18is being allowed now the final thing
05:20that i want to talk about with course is
05:21going to be how you can actually send up
05:23cookies because by
05:24default cookies are blocked if we come
05:26into here we can just say that we want
05:27to pass
05:28in credentials and we just say include
05:30that's going to include our credentials
05:31in the request and you notice we
05:33immediately get
05:33cores issues again because we don't have
05:35an access control allow credentials
05:37header so we need to set this access
05:39control allow credentials header
05:40on the server this is as easy as just
05:42saying with i'm sorry credentials
05:44and setting that to true that is going
05:46to set this access control allow
05:47credentials
05:48and if we go to our network and we go
05:50and we scroll down here you'll see
05:52access control allow credentials is set
05:54to true that's all there is to cores
05:56if you're interested in more security
05:58related videos they're going to be
05:59linked over here and a full written
06:00version of this video is also linked
06:02down in the description below
06:03thank you very much for watching and
06:04have a good day
Browse More Related Video
#26: Connect React with NodeJS & MongoDB | Stored Registration Form Data in Database in MERN
Quick Tutorial - Users and Permissions in SQL Server
MERN quiz creator app Part 2: Creating a database, Creating a basic api, adding JWT authentication.
Express JS #5 - Post Requests
ESP32 Servo Motor Web Server with Arduino IDE
Build a Microservice with Go #1 - Getting Started
5.0 / 5 (0 votes)