Blog

express and cors package: middleware ordering, OPTIONS-first behavior, and production pitfalls behind reverse proxies

Place cors() before body parsers on routes that need custom Allow-Headers for JSON and file uploads.

Published: 2027-06-12Updated: 2027-06-141 min read

expresscorsnodejs

Router mounting

Sub-routers under `/api/v2` still need CORS on the parent app unless you explicitly inherit middleware.

Static express.static middleware should not emit CORS headers for assets that never cross origins.

Global error middleware must append CORS headers on 5xx responses or SPAs show misleading network errors.

Rate limiters that return 429 should include Retry-After and consistent Allow-Origin for credentialed retries.