Apa iku CORS lan kepiye carane nangani ing Node?

Question

Accepted Answer

**CORS** (Cross-Origin Resource Sharing) minangka mekanisme keamanan browser sing ngontrol apa-apa halaman web saka siji **origin** bisa nggawe requests menyang server ing **origin sing beda**. Secara baku, browser ngalangi cross-origin requests; server kudu ngijini kanthi eksplisit liwat response headers.

## Kebijakan same-origin lan masalahé

```text
Origin = scheme + host + port. These are DIFFERENT origins:
  https://app.example.com   →  https://api.example.com   (different host)
  http://localhost:3000     →  http://localhost:4000      (different port)

Browser blocks the cross-origin request UNLESS the server sends CORS headers allowing it.
```

Dadi aplikasi React ing `localhost:3000` sing nelpon API ing `localhost:4000` iku cross-origin — browser ngalangi kajaba API kasebut milih.

## Response headers utama

```text
Access-Control-Allow-Origin: https://app.example.com   ← who is allowed
Access-Control-Allow-Methods: GET, POST, PUT, DELETE   ← allowed methods
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Credentials: true                 ← allow cookies/auth
```

Server ngontrol akses kanthi ngirim headers kasebut. Browser maca dan memutuskan apa-apa halaman bisa ndeleng response.

## Nangani CORS ing Express

```js
import cors from "cors";

// ❌ allow everything — convenient but insecure for credentialed/private APIs
app.use(cors());

// ✅ restrict to specific trusted origins
app.use(cors({
  origin: ["https://app.example.com", "http://localhost:3000"], // allowlist
  methods: ["GET", "POST", "PUT", "DELETE"],
  credentials: true, // allow cookies — REQUIRES a specific origin (not "*")
}));
```

Middleware `cors` nata headers kanggo sampeyan. Kanggo production, **watesin `origin` menyang allowlist** tinimbang `*` — lan elinga manawa ngijini credentials (`credentials: true`) ora cocok karo wildcard `*`.

## Preflight requests

```text
For "non-simple" requests (PUT/DELETE, custom headers, JSON), the browser first
sends an OPTIONS "preflight" request to check permissions. The cors middleware
handles responding to it automatically.
```

## Salah paham umum

```text
CORS is enforced by the BROWSER, not the server. It does NOT protect your API
from non-browser clients (curl, Postman, other servers) — those ignore CORS.
It only governs what browser JavaScript on other origins can do.
```

## Mengapa penting

CORS minangka salah satusan kendala paling umum ing web development — sakliyik-likne setup front-end-menyang-API kena (utamané ing local dev karo port berlainan).

Pamahaman *mengapa* wae ana (keamanan same-origin browser), kepiye server pilih liwat headers, kepiye ngonfigurasikake kanthi aman (allowlist origins, panganan careful credential), lan fakta penting manawa iku *browser* mekanisme (dudu authorization API) iku penting kanggo ngandhut front-ends menyang Node APIs kanthi bener lan aman tanpa dikurung utawa kebang-bangan server.