form-cors
form-cors is a node.js package designed to protect cross domain attacks form HTTP form request, since form request doesn't make JavaScript same origin policy works. You can see here for more information.
This package is a Nest.js middleware(may also works with Express), but it's simple since it just blocks any request with req.header('content-type') === 'application/x-www-form-urlencoded'
. This maybe aggressive, but you can use configuration like a allowList
though.
Installation
You can install the package from
npm registry. Installation is done using command
npm install
:
$ npm install form-cors
Usage
Within your Nest.js main.ts
, import and use this module like the example below:
import { NestFactory } from '@nestjs/core';
import { AppModule } from './app.module';
import formCors from 'form-cors';
async function bootstrap() {
const app = await NestFactory.create(AppModule);
app.use(formCors());
await app.listen(3000);
}
bootstrap();
Hint! This module doesn't block JavaScript cross domain requests! So you should always also set a cors protection.
Configuration Options
-
allowList
: Array of domains that can be excluded from the protection, example:['https://my.domain.com']
-
exception
: An Exception will be thrown if a client sends a form post. Usually you should set a Nestjs Exception likenew NotAcceptableException()
from@nestjs/common
.
with configuration, here's a simple snippet:
app.use(formCors({
allowList: ['https://my.domain.com'],
exception: new NotAcceptableException('This request is not allowed.'),
}));