MasterController

CORS

Let your Next.js frontend call the API — safely.

Because a Master app runs the frontend and backend on different origins in development, the backend enables CORS for the frontend. Configure it with master.cors.init() after setupServer(); it auto-registers with the pipeline.

Basic setup#

server.js
const server = master.setupServer('http');

master.cors.init({
  origin: [process.env.FRONTEND_URL || 'http://localhost:3000'],
  credentials: true,
  methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'],
});

Allow-listing origins#

Pass an explicit array of origins. This is the safe default for production:

javascript
master.cors.init({
  origin: ['https://app.example.com', 'https://admin.example.com'],
  credentials: true,
});
Wildcard + credentials is rejected
For security, origin: true with credentials: true throws at startup — it would let any site read authenticated responses. Use an explicit origin list when you need credentials. A literal origin: '*' is allowed only without credentials.

Same-origin alternative#

Prefer no CORS at all? Proxy the API through Next.js with a rewrite so the browser only ever talks to one origin:

frontend/next.config.mjs
const nextConfig = {
  async rewrites() {
    return [{ source: '/api/:path*', destination: 'http://localhost:3001/:path*' }];
  },
};
export default nextConfig;
Security
CSRF, rate limiting, headers.
Middleware
How CORS plugs into the pipeline.
PreviousMiddlewareNext Views & Templates
Improve this page on GitHub