X'inhu CORS u kif tgħaddih f'Node?

Question

Accepted Answer

**CORS** (Cross-Origin Resource Sharing) huwa mekkaniżmu tas-sigurtà tal-browser li jikkontrolla jekk paġna web minn origin wieħed **origin** tista' tagħmel irjegħiet lil server fuq **origin differenti**. B'mod default, il-browsers jibblokka rjegħiet cross-origin; is-server irid jippermettihom b'mod espliċitu permezz ta' headers ta' rispons.

## Il-politika same-origin u l-problema

```text
Origin = scheme + host + port. These are DIFFERENT origins:
  https://app.example.com   →  https://api.example.com   (different host)
  http://localhost:3000     →  http://localhost:4000      (different port)

Browser blocks the cross-origin request UNLESS the server sends CORS headers allowing it.
```

Allura app React fil-`localhost:3000` li tċempja API fil-`localhost:4000` huwa cross-origin — il-browser jibblokka sakemm l-API ma jagħżal.

## Il-headers ta' rispons ewlenin

```text
Access-Control-Allow-Origin: https://app.example.com   ← who is allowed
Access-Control-Allow-Methods: GET, POST, PUT, DELETE   ← allowed methods
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Credentials: true                 ← allow cookies/auth
```

Is-server jikkontrolla l-aċċess billi jibgħat dawn il-headers. Il-browser jaqrahom u jiddeċiedi jekk iħallix il-paġna tara r-rispons.

## Imnaqqas tal-CORS f'Express

```js
import cors from "cors";

// ❌ allow everything — convenient but insecure for credentialed/private APIs
app.use(cors());

// ✅ restrict to specific trusted origins
app.use(cors({
  origin: ["https://app.example.com", "http://localhost:3000"], // allowlist
  methods: ["GET", "POST", "PUT", "DELETE"],
  credentials: true, // allow cookies — REQUIRES a specific origin (not "*")
}));
```

Il-middleware `cors` jista' heads għalik. Għall-produzzjoni, **irrestrinġi `origin` għal whitelist** minflok `*` — u nżomm f'ħsieb li tippermetti kredenzjali (`credentials: true`) mhux kompatibli mad-wildcard `*`.

## Rjegħiet Preflight

```text
For "non-simple" requests (PUT/DELETE, custom headers, JSON), the browser first
sends an OPTIONS "preflight" request to check permissions. The cors middleware
handles responding to it automatically.
```

## Diskonsiderazzjoni komuni

```text
CORS is enforced by the BROWSER, not the server. It does NOT protect your API
from non-browser clients (curl, Postman, other servers) — those ignore CORS.
It only governs what browser JavaScript on other origins can do.
```

## Għaliex huwa importanti

CORS huwa wieħed mill-aktar stumbling blocks komuni fl-iżvilupp web — kważi kull setup front-end-għal-API jiffaċċjah (speċjalment fil-local dev b'ports differenti).

L-għarfien *għaliex* jeżisti (sigurtà same-origin browser), kif is-server jagħżal permezz ta' headers, kif jikkunfiguraha b'mod sigur (whitelist origins, trattament kredenzjali ċirkospett), u l-fatt kruċjali li huwa mekkaniżmu *ta' browser* (mhux awtorita API) huwa essenzjali biex taqbad b'mod korrett u sigur il-front-ends mal-Node APIs mingħajr ma tinblokkaw jew tħaffer żżejd is-server.