cors function
Middleware
cors({})
CORS middleware
By default, no origins are allowed. You must explicitly specify allowed origins.
Use origins: ['*'] only for public APIs — never for authenticated endpoints.
Implementation
Middleware cors({
required List<String> origins,
List<String> methods = const ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
List<String> headers = const ['Content-Type', 'Authorization'],
}) {
return (Handler innerHandler) {
return (Request request) async {
final origin = request.headers['origin'] ?? '';
final allowedOrigin = origins.contains('*') ? '*' : (origins.contains(origin) ? origin : null);
if (request.method == 'OPTIONS') {
return Response.ok('', headers: {
if (allowedOrigin != null) 'Access-Control-Allow-Origin': allowedOrigin,
'Access-Control-Allow-Methods': methods.join(', '),
'Access-Control-Allow-Headers': headers.join(', '),
});
}
final response = await innerHandler(request);
return response.change(headers: {
...response.headers,
if (allowedOrigin != null) 'Access-Control-Allow-Origin': allowedOrigin,
});
};
};
}