diff --git a/README.md b/README.md index be1e987..4e1c0cf 100644 --- a/README.md +++ b/README.md @@ -63,7 +63,7 @@ You can use it as is without passing any option or you can configure it as expla cb(new Error("Not allowed"), false) } ``` -* `methods`: Configures the **Access-Control-Allow-Methods** CORS header. Expects a comma-delimited string (e.g., 'GET,PUT,POST') or an array (e.g., `['GET', 'PUT', 'POST']`). Default: `GET,HEAD,PUT,PATCH,POST,DELETE`. +* `methods`: Configures the **Access-Control-Allow-Methods** CORS header. Expects a comma-delimited string (e.g., 'GET,PUT,POST') or an array (e.g., `['GET', 'PUT', 'POST']`). Default: [CORS-safelisted methods](https://fetch.spec.whatwg.org/#methods) `GET,HEAD,PUT`. * `hook`: See [Custom Fastify hook name](#custom-fastify-hook-name). Default: `onRequest`. * `allowedHeaders`: Configures the **Access-Control-Allow-Headers** CORS header. Expects a comma-delimited string (e.g., `'Content-Type,Authorization'`) or an array (e.g., `['Content-Type', 'Authorization']`). Defaults to reflecting the headers specified in the request's **Access-Control-Request-Headers** header if not specified. * `exposedHeaders`: Configures the **Access-Control-Expose-Headers** CORS header. Expects a comma-delimited string (e.g., `'Content-Range,X-Content-Range'`) or an array (e.g., `['Content-Range', 'X-Content-Range']`). No custom headers are exposed if not specified. diff --git a/index.js b/index.js index f711bb7..bb1566c 100644 --- a/index.js +++ b/index.js @@ -8,7 +8,7 @@ const { const defaultOptions = { origin: '*', - methods: 'GET,HEAD,PUT,PATCH,POST,DELETE', + methods: 'GET,HEAD,POST', hook: 'onRequest', preflightContinue: false, optionsSuccessStatus: 204, diff --git a/test/preflight.test.js b/test/preflight.test.js index 7e43032..fb3d8e3 100644 --- a/test/preflight.test.js +++ b/test/preflight.test.js @@ -30,7 +30,7 @@ test('Should reply to preflight requests', async t => { } t.assert.deepStrictEqual(actualHeaders, { 'access-control-allow-origin': '*', - 'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE', + 'access-control-allow-methods': 'GET,HEAD,POST', vary: 'Access-Control-Request-Headers', 'content-length': '0' }) @@ -65,7 +65,7 @@ test('Should add access-control-allow-headers to response if preflight req has a } t.assert.deepStrictEqual(actualHeaders, { 'access-control-allow-origin': '*', - 'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE', + 'access-control-allow-methods': 'GET,HEAD,POST', 'access-control-allow-headers': 'x-requested-with', vary: 'Access-Control-Request-Headers', 'content-length': '0' @@ -98,7 +98,7 @@ test('Should reply to preflight requests with custom status code', async t => { } t.assert.deepStrictEqual(actualHeaders, { 'access-control-allow-origin': '*', - 'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE', + 'access-control-allow-methods': 'GET,HEAD,POST', vary: 'Access-Control-Request-Headers', 'content-length': '0' }) @@ -162,7 +162,7 @@ test('Should reply to all options requests', async t => { } t.assert.deepStrictEqual(actualHeaders, { 'access-control-allow-origin': '*', - 'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE', + 'access-control-allow-methods': 'GET,HEAD,POST', vary: 'Access-Control-Request-Headers', 'content-length': '0' }) @@ -204,7 +204,7 @@ test('Should support a prefix for preflight requests', async t => { } t.assert.deepStrictEqual(actualHeaders, { 'access-control-allow-origin': '*', - 'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE', + 'access-control-allow-methods': 'GET,HEAD,POST', vary: 'Access-Control-Request-Headers', 'content-length': '0' }) @@ -329,7 +329,7 @@ test('Should reply to all preflight requests when strictPreflight is disabled', } t.assert.deepStrictEqual(actualHeaders, { 'access-control-allow-origin': '*', - 'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE', + 'access-control-allow-methods': 'GET,HEAD,POST', vary: 'Access-Control-Request-Headers', 'content-length': '0' }) @@ -360,7 +360,7 @@ test('Default empty 200 response with preflightContinue on OPTIONS routes', asyn } t.assert.deepStrictEqual(actualHeaders, { 'access-control-allow-origin': '*', - 'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE', + 'access-control-allow-methods': 'GET,HEAD,POST', vary: 'Access-Control-Request-Headers' }) }) @@ -394,7 +394,7 @@ test('Can override preflight response with preflightContinue', async t => { } t.assert.deepStrictEqual(actualHeaders, { 'access-control-allow-origin': '*', - 'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE', + 'access-control-allow-methods': 'GET,HEAD,POST', vary: 'Access-Control-Request-Headers' }) }) @@ -429,7 +429,7 @@ test('Should support ongoing prefix ', async t => { } t.assert.deepStrictEqual(actualHeaders, { 'access-control-allow-origin': '*', - 'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE', + 'access-control-allow-methods': 'GET,HEAD,POST', vary: 'Access-Control-Request-Headers', 'content-length': '0' }) @@ -455,7 +455,7 @@ test('Should support ongoing prefix ', async t => { } t.assert.deepStrictEqual(actualHeaders, { 'access-control-allow-origin': '*', - 'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE', + 'access-control-allow-methods': 'GET,HEAD,POST', vary: 'Access-Control-Request-Headers', 'content-length': '0' }) @@ -481,7 +481,7 @@ test('Should support ongoing prefix ', async t => { } t.assert.deepStrictEqual(actualHeaders, { 'access-control-allow-origin': '*', - 'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE', + 'access-control-allow-methods': 'GET,HEAD,POST', vary: 'Access-Control-Request-Headers', 'content-length': '0' })