CORS ni nini na unajifanya vipi katika Node?

Question

Accepted Answer

**CORS** (Cross-Origin Resource Sharing) ni mekanizmi ya usalama wa kipeleweke ambayo inakuza kama ukurasa wa wavu kutoka kwa **origin** moja unaweza kuomba kwenye seva kwenye **origin nyingine**. Kwa chaguo-msingi, kipeleweke kinazuia maombi ya cross-origin; seva lazima iruhusu wazi kupitia headers za jibu.

## Sera ya same-origin na tatizo

```text
Origin = scheme + host + port. These are DIFFERENT origins:
  https://app.example.com   →  https://api.example.com   (different host)
  http://localhost:3000     →  http://localhost:4000      (different port)

Browser blocks the cross-origin request UNLESS the server sends CORS headers allowing it.
```

Kwa hivyo programu ya React kwenye `localhost:3000` inayoita API kwenye `localhost:4000` ni cross-origin — kipeleweke kinazuia isipokuwa API ichague kuruhusu.

## Headers za jibu muhimu zaidi

```text
Access-Control-Allow-Origin: https://app.example.com   ← who is allowed
Access-Control-Allow-Methods: GET, POST, PUT, DELETE   ← allowed methods
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Credentials: true                 ← allow cookies/auth
```

Seva inakuza upatikanaji kwa kutuma headers hizi. Kipeleweke kinazisoma na kuamua kama iruhusu ukurasa kuona jibu.

## Kutunza CORS katika Express

```js
import cors from "cors";

// ❌ allow everything — convenient but insecure for credentialed/private APIs
app.use(cors());

// ✅ restrict to specific trusted origins
app.use(cors({
  origin: ["https://app.example.com", "http://localhost:3000"], // allowlist
  methods: ["GET", "POST", "PUT", "DELETE"],
  credentials: true, // allow cookies — REQUIRES a specific origin (not "*")
}));
```

Middleware ya `cors` inaweka headers kwa ajili yako. Kwa uzalishaji, **zuia `origin` kwenye orodha ya kunuruhusu** badala ya `*` — na kumbuka kwamba kuruhusu akaunti (`credentials: true`) haulingani na wildcard `*`.

## Maombi ya preflight

```text
For "non-simple" requests (PUT/DELETE, custom headers, JSON), the browser first
sends an OPTIONS "preflight" request to check permissions. The cors middleware
handles responding to it automatically.
```

## Dhani ya kawaida

```text
CORS is enforced by the BROWSER, not the server. It does NOT protect your API
from non-browser clients (curl, Postman, other servers) — those ignore CORS.
It only governs what browser JavaScript on other origins can do.
```

## Kwa nini inastahili

CORS ni moja ya vizuizi vya kawaida zaidi katika maendeleo ya wavu — karibu kila usanidi wa front-end-hadi-API unakutana nayo (hasa katika maendeleo ya ndani na milango tofauti).

Kuelewa *kwa nini* inapatikana (usalama wa same-origin wa kipeleweke), jinsi seva ichaguaje kuruhusu kupitia headers, jinsi unavyoiweka salama (orodha ya kunuruhusu origins, kushughulikia kwa makini akaunti), na ukweli muhimu kwamba ni mekanizmi ya *kipeleweke* (si idhini ya API) ni muhimu kwa kuunganisha kwa usahihi na salama mbele-ends kwenye Node APIs bila kuzuiwa au kuexpose sehemu nyingi za seva.