CORS on Meteor

Meteor is a full-stack JavaScript framework built on Node.js. To add CORS authorization to a Meteor application, use the webapp package's WebApp.rawConnectHandlers to customize HTTP headers.

Understanding Meteor CORS

Meteor uses two different communication protocols:

• DDP (Distributed Data Protocol): WebSocket-based protocol for Meteor Methods and subscriptions. CORS is less relevant for DDP connections.
• REST/HTTP endpoints: Traditional HTTP endpoints that require CORS configuration for cross-origin access.

The WebApp.rawConnectHandlers middleware affects HTTP requests but not DDP connections. If you're exposing REST APIs alongside your Meteor application, you'll need proper CORS configuration.

Secure CORS Implementation

Here's a production-ready CORS implementation with origin validation, preflight handling, and proper security headers:

// server/cors.js
import { WebApp } from 'meteor/webapp';

const allowedOrigins = [
  'https://example.com',
  'https://app.example.com',
  'https://admin.example.com'
];

WebApp.rawConnectHandlers.use(function(req, res, next) {
  const origin = req.headers.origin;

  // Validate origin against whitelist
  if (allowedOrigins.includes(origin)) {
    res.setHeader("Access-Control-Allow-Origin", origin);
    res.setHeader("Vary", "Origin");
    res.setHeader("Access-Control-Allow-Credentials", "true");
  }

  res.setHeader("Access-Control-Allow-Headers", "Authorization, Content-Type, X-Requested-With");
  res.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");

  // Handle preflight requests
  if (req.method === "OPTIONS") {
    res.setHeader("Access-Control-Max-Age", "86400"); // 24 hours
    res.writeHead(204);
    res.end();
    return;
  }

  next();
});

Path-Specific CORS

You can configure different CORS policies for different API paths using the optional path argument:

Public API (Open Access)

// Public API - allows any origin
WebApp.rawConnectHandlers.use("/api/public", function(req, res, next) {
  res.setHeader("Access-Control-Allow-Origin", "*");
  res.setHeader("Access-Control-Allow-Methods", "GET, OPTIONS");

  if (req.method === "OPTIONS") {
    res.setHeader("Access-Control-Max-Age", "86400");
    res.writeHead(204);
    res.end();
    return;
  }

  return next();
});

Private API (Restricted Access)

// Private API - restricted to specific origins
const allowedOrigins = [
  'https://example.com',
  'https://app.example.com'
];

WebApp.rawConnectHandlers.use("/api/private", function(req, res, next) {
  const origin = req.headers.origin;

  if (allowedOrigins.includes(origin)) {
    res.setHeader("Access-Control-Allow-Origin", origin);
    res.setHeader("Access-Control-Allow-Credentials", "true");
    res.setHeader("Vary", "Origin");
  }

  res.setHeader("Access-Control-Allow-Headers", "Authorization, Content-Type");
  res.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");

  if (req.method === "OPTIONS") {
    res.setHeader("Access-Control-Max-Age", "86400");
    res.writeHead(204);
    res.end();
    return;
  }

  next();
});

Environment-Based Configuration

For better security and flexibility, load allowed origins from your Meteor settings:

settings.json:

{
  "cors": {
    "origins": [
      "https://example.com",
      "https://app.example.com"
    ]
  }
}

server/cors.js:

import { Meteor } from 'meteor/meteor';
import { WebApp } from 'meteor/webapp';

if (Meteor.isServer) {
  const allowedOrigins = Meteor.settings.cors?.origins || [];

  WebApp.rawConnectHandlers.use(function(req, res, next) {
    const origin = req.headers.origin;

    if (allowedOrigins.includes(origin)) {
      res.setHeader("Access-Control-Allow-Origin", origin);
      res.setHeader("Vary", "Origin");
    }

    if (req.method === "OPTIONS") {
      res.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
      res.setHeader("Access-Control-Allow-Headers", "Authorization, Content-Type");
      res.setHeader("Access-Control-Max-Age", "86400");
      res.writeHead(204);
      res.end();
      return;
    }

    next();
  });
}

Run Meteor with settings:

meteor --settings settings.json

Using Meteor Packages

For more advanced use cases, consider using community packages:

• simple:rest - Provides REST API capabilities with built-in CORS support

meteor add simple:rest

Understanding Required Headers

When making authenticated requests to Meteor APIs, clients typically send:

• Authorization: Bearer tokens or API keys
• Content-Type: Usually application/json

Your server must allow these headers with Access-Control-Allow-Headers. The examples above include these by default.

Key Security Considerations

• Never use wildcards with credentials: Access-Control-Allow-Origin: * cannot be used with Access-Control-Allow-Credentials: true
• Always validate origins: Check incoming origins against a whitelist before setting the header
• Include Vary header: Vary: Origin is required when dynamically setting Access-Control-Allow-Origin to prevent caching issues
• Handle preflight requests: Respond to OPTIONS requests with appropriate headers and a 204 status code
• Use HTTPS in production: Only allow HTTPS origins in your whitelist for production environments

Testing Your CORS Configuration

For comprehensive testing instructions including curl commands, browser DevTools usage, and troubleshooting common CORS errors, see the CORS Testing Guide.

Additional Resources

• Meteor WebApp Documentation
• Meteor Guide
• Atmosphere Package Repository