Add Access-Control-Max-Age #261

electerious · Jun 20, 2021 · 2b170a4 · 2b170a4
1 parent 533443a
commit 2b170a4
Show file tree

Hide file tree

Showing 9 changed files with 19 additions and 1 deletion.
diff --git a/dist/index.js b/dist/index.js
diff --git a/docs/CORS headers.md b/docs/CORS headers.md
@@ -16,6 +16,7 @@ Access-Control-Allow-Origin: https://example.com
 Access-Control-Allow-Methods: GET, POST, PATCH, OPTIONS
 Access-Control-Allow-Headers: Content-Type, Authorization, Time-Zone
 Access-Control-Allow-Credentials: true
+Access-Control-Max-Age: 3600
 ```
 
 ### Origin
@@ -52,6 +53,14 @@ The `Access-Control-Allow-Credentials` header tells the browser to include the `
 Access-Control-Allow-Credentials: true
 ```
 
+### Max-Age
+
+The `Access-Control-Max-Age` header tells the browser that all `Access-Control-Allow-*` headers can be cached for one hour. This minimizes the amount of preflight requests.
+
+```
+Access-Control-Max-Age: 3600
+```
+
 ## Platforms-As-A-Service configuration
 
 If you are running Ackee on a platform which handles SSL for you, you may want a quick solution for setting CORS headers instead of using a [reverse proxy](SSL%20and%20HTTPS.md).

diff --git a/docs/SSL and HTTPS.md b/docs/SSL and HTTPS.md
@@ -80,6 +80,7 @@ server {
         add_header          Access-Control-Allow-Methods "GET, POST, PATCH, OPTIONS" always;
         add_header          Access-Control-Allow-Headers "Content-Type, Authorization, Time-Zone" always;
         add_header          Access-Control-Allow-Credentials "true" always;
+        add_header          Access-Control-Max-Age "3600" always;
         add_header          Strict-Transport-Security "max-age=31536000" always;
         add_header          X-Frame-Options deny;
         proxy_pass          http://localhost:3000;
@@ -116,6 +117,7 @@ server {
         add_header          Access-Control-Allow-Methods "GET, POST, PATCH, OPTIONS" always;
         add_header          Access-Control-Allow-Headers "Content-Type, Authorization, Time-Zone" always;
         add_header          Access-Control-Allow-Credentials "true" always;
+        add_header          Access-Control-Max-Age "3600" always;
         add_header          Strict-Transport-Security "max-age=31536000" always;
         add_header          X-Frame-Options deny;
         proxy_pass          http://localhost:3000;
@@ -149,6 +151,7 @@ server {
         add_header          Access-Control-Allow-Origin "*" always;
         add_header          Access-Control-Allow-Methods "GET, POST, PATCH, OPTIONS" always;
         add_header          Access-Control-Allow-Headers "Content-Type, Authorization, Time-Zone" always;
+        add_header          Access-Control-Max-Age "3600" always;
         add_header          Strict-Transport-Security "max-age=31536000" always;
         add_header          X-Frame-Options deny;
         proxy_pass          http://localhost:3000;

diff --git a/src/server.js b/src/server.js
@@ -77,6 +77,7 @@ const attachCorsHeaders = (fn) => (req, res) => {
 		res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PATCH, OPTIONS')
 		res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, Time-Zone')
 		res.setHeader('Access-Control-Allow-Credentials', 'true')
+		res.setHeader('Access-Control-Max-Age', '3600')
 	}
 
 	return fn(req, res)

diff --git a/test/serverWithCors.js b/test/serverWithCors.js
@@ -22,6 +22,7 @@ test('return cors headers if env var specifies one', async (t) => {
 	t.is(headers.get('Access-Control-Allow-Methods'), 'GET, POST, PATCH, OPTIONS')
 	t.is(headers.get('Access-Control-Allow-Headers'), 'Content-Type, Authorization, Time-Zone')
 	t.is(headers.get('Access-Control-Allow-Credentials'), 'true')
+	t.is(headers.get('Access-Control-Max-Age'), '3600')
 
 	restore()
 })
diff --git a/test/serverWithMultipleCors.js b/test/serverWithMultipleCors.js
@@ -22,6 +22,7 @@ test('return cors headers with corresponding origin if env var specifies multipl
 	t.is(headers.get('Access-Control-Allow-Methods'), 'GET, POST, PATCH, OPTIONS')
 	t.is(headers.get('Access-Control-Allow-Headers'), 'Content-Type, Authorization, Time-Zone')
 	t.is(headers.get('Access-Control-Allow-Credentials'), 'true')
+	t.is(headers.get('Access-Control-Max-Age'), '3600')
 
 	restore()
 })
diff --git a/test/serverWithUnlistedCors.js b/test/serverWithUnlistedCors.js
@@ -22,6 +22,7 @@ test('return cors headers with no origin if hostname not whitelisted in env var'
 	t.is(headers.get('Access-Control-Allow-Methods'), null)
 	t.is(headers.get('Access-Control-Allow-Headers'), null)
 	t.is(headers.get('Access-Control-Allow-Credentials'), null)
+	t.is(headers.get('Access-Control-Max-Age'), null)
 
 	restore()
 })
diff --git a/test/serverWithWildcardCors.js b/test/serverWithWildcardCors.js
@@ -22,6 +22,7 @@ test('return cors headers if env vars specify wildcard', async (t) => {
 	t.is(headers.get('Access-Control-Allow-Methods'), 'GET, POST, PATCH, OPTIONS')
 	t.is(headers.get('Access-Control-Allow-Headers'), 'Content-Type, Authorization, Time-Zone')
 	t.is(headers.get('Access-Control-Allow-Credentials'), 'true')
+	t.is(headers.get('Access-Control-Max-Age'), '3600')
 
 	restore()
 })
diff --git a/test/serverWithoutCors.js b/test/serverWithoutCors.js
@@ -22,6 +22,7 @@ test('return no cors headers if env var specifies none', async (t) => {
 	t.is(headers.get('Access-Control-Allow-Methods'), null)
 	t.is(headers.get('Access-Control-Allow-Headers'), null)
 	t.is(headers.get('Access-Control-Allow-Credentials'), null)
+	t.is(headers.get('Access-Control-Max-Age'), null)
 
 	restore()
 })