CORS(跨域资源共享)是一种浏览器安全机制,用于控制来自一个来源的网页是否可以向位于不同来源的服务器发出请求。默认情况下,浏览器会阻止跨域请求;服务器必须通过响应头明确允许这些请求。
Origin = scheme + host + port. These are DIFFERENT origins:
https://app.example.com → https://api.example.com (different host)
http://localhost:3000 → http://localhost:4000 (different port)
Browser blocks the cross-origin request UNLESS the server sends CORS headers allowing it.
因此, 上的 React 应用调用 上的 API 是跨域的——除非 API 选择允许,否则浏览器会阻止它。
localhost:3000localhost:4000Access-Control-Allow-Origin: https://app.example.com ← who is allowed
Access-Control-Allow-Methods: GET, POST, PUT, DELETE ← allowed methods
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Credentials: true ← allow cookies/auth
服务器通过发送这些头来控制访问。浏览器读取它们并决定是否允许页面查看响应。
import cors from "cors";
// ❌ allow everything — convenient but insecure for credentialed/private APIs
app.use(cors());
// ✅ restrict to specific trusted origins
app.use(cors({
origin: ["https://app.example.com", "http://localhost:3000"], // allowlist
methods: ["GET", "POST", "PUT", "DELETE"],
credentials: true, // allow cookies — REQUIRES a specific origin (not "*")
}));
cors 中间件为你设置头。在生产环境中,将 origin 限制为允许列表而不是 * ——并注意允许凭证(credentials: true)与通配符 * 不兼容。
For "non-simple" requests (PUT/DELETE, custom headers, JSON), the browser first
sends an OPTIONS "preflight" request to check permissions. The cors middleware
handles responding to it automatically.
CORS is enforced by the BROWSER, not the server. It does NOT protect your API
from non-browser clients (curl, Postman, other servers) — those ignore CORS.
It only governs what browser JavaScript on other origins can do.
CORS 是网络开发中最常见的绊脚石之一——几乎每个前端到 API 的设置都会遇到它(特别是在使用不同端口的本地开发中)。
理解为什么它存在(浏览器同源安全)、服务器如何通过头选择加入、如何安全地配置它(允许列表来源、谨慎的凭证处理),以及它是浏览器机制(而不是 API 授权)这一关键事实,对于正确且安全地将前端连接到 Node API,而不是被阻止或过度暴露服务器是必不可少的。