Blog
Express cors middleware: dynamic origin callbacks and async allowlists
The origin option can be a function; load tenant allowlists from a database but cache aggressively to avoid latency spikes.
1 min read
expressnodejscors
Error handling
If the callback throws, Express may return 500 without CORS headers—wrap in try/catch and return consistent errors.
Log the origin string when rejecting to help partners fix typos in scheme or port.
Preflight caching
Set maxAge based on how often your allowlist changes; frequent changes require shorter TTLs.
Behind multiple Node processes, ensure in-memory caches invalidate or use Redis.