View our GitHub

Please visit sails-docs on GitHub to view documentation on your mobile device.

Edit Page


Configuration for Sails' built-in support for Cross-Origin Resource Sharing. CORS specifies how HTTP requests to your app originating from foreign domains should be treated. It is primarily used to allow third-party sites to make AJAX requests to your app, which are normally blocked by browsers following the same-origin policy.

These options are conventionally set in the config/cors.js configuration file. Note that these settings (with the exception of allRoutes) can be changed on a per-route basis in the config/routes.js file.


Property Type Default Details
allRoutes false Indicates whether the other CORS configuration settings should apply to every route in the app by default.
origin * Comma-delimited list of default hosts (beginning with http:// or https://) to give access to, or * to allow all domains CORS access. If allRoutes is true and origin is *, then your app will be fully accessible to sites hosted on foreign domains (except for routes which have their own CORS settings).
methods GET, POST, PUT, DELETE, OPTIONS, HEAD Comma-delimited list of methods that are allowed to be used in CORS requests. This is only used in response to preflight requests, so the inclusion of GET, POST, OPTIONS and HEAD, although customary, is not necessary.
headers content-type Comma-delimited list of headers that are allowed to be sent with CORS requests. This is only used in response to preflight requests.
exposeHeaders '' List of headers that browsers will be allowed to access. See access-control-expose-headers.
credentials true Indicates whether cookies can be shared in CORS requests.
securityLevel 0 Indicates how Sails should respond to requests from disallowed origins. In normal mode (0), Sails processes all requests normally, simply setting the appropriate CORS headers and leaving it to the client to determine how to handle the response. In high mode (1), Sails will send back a 403 response to requests from disallowed origins, if the origin starts with http or https. In very high mode (2), Sails will send back a 403 response to requests from disallowed origins, regardless of the origin protocol. See Security Levels in the CORS concepts documentation for more info.

Custom route config example

The following will allow cross-origin AJAX GET, PUT and POST requests to /foo/bar from sites hosted and DELETE requests, or requests from sites on any other domains, will be blocked by the browser.

'/foo/bar': {
  target: '',
  cors: {
    origin: ',',

Is something missing?

If you notice something we've missed or could be improved on, please follow this link and submit a pull request to the sails-docs repo. Once we merge it, the changes will be reflected on the website the next time it is deployed.


We wrote a book!

Get early access to the book
with promotion code: mcneildoc

Get the Book