refactor: change default methods to cors-safelisted methods (#359)

Fdawgs · web-flow · commit 0d7b9fa454df · 2025-02-27T14:01:42.000+08:00
* refactor(index): change default `methods` to cors-safelisted methods

* fix: correct allowed methods

* Update README.md

Signed-off-by: Frazer Smith &lt;frazer.dev@icloud.com&gt;

---------

Signed-off-by: Frazer Smith &lt;frazer.dev@icloud.com&gt;
diff --git a/README.md b/README.md
@@ -63,7 +63,7 @@ You can use it as is without passing any option or you can configure it as expla
     cb(new Error("Not allowed"), false)
   }
   ```
-* `methods`: Configures the **Access-Control-Allow-Methods** CORS header. Expects a comma-delimited string (e.g., 'GET,PUT,POST') or an array (e.g., `['GET', 'PUT', 'POST']`). Default: `GET,HEAD,PUT,PATCH,POST,DELETE`.
+* `methods`: Configures the **Access-Control-Allow-Methods** CORS header. Expects a comma-delimited string (e.g., 'GET,PUT,POST') or an array (e.g., `['GET', 'PUT', 'POST']`). Default: [CORS-safelisted methods](https://fetch.spec.whatwg.org/#methods) `GET,HEAD,PUT`.
 * `hook`: See [Custom Fastify hook name](#custom-fastify-hook-name). Default: `onRequest`.
 * `allowedHeaders`: Configures the **Access-Control-Allow-Headers** CORS header. Expects a comma-delimited string (e.g., `'Content-Type,Authorization'`) or an array (e.g., `['Content-Type', 'Authorization']`). Defaults to reflecting the headers specified in the request's **Access-Control-Request-Headers** header if not specified.
 * `exposedHeaders`: Configures the **Access-Control-Expose-Headers** CORS header. Expects a comma-delimited string (e.g., `'Content-Range,X-Content-Range'`) or an array (e.g., `['Content-Range', 'X-Content-Range']`). No custom headers are exposed if not specified.
diff --git a/index.js b/index.js
@@ -8,7 +8,7 @@ const {
 
 const defaultOptions = {
   origin: '*',
-  methods: 'GET,HEAD,PUT,PATCH,POST,DELETE',
+  methods: 'GET,HEAD,POST',
   hook: 'onRequest',
   preflightContinue: false,
   optionsSuccessStatus: 204,
diff --git a/test/preflight.test.js b/test/preflight.test.js
@@ -30,7 +30,7 @@ test('Should reply to preflight requests', async t => {
   }
   t.assert.deepStrictEqual(actualHeaders, {
     'access-control-allow-origin': '*',
-    'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE',
+    'access-control-allow-methods': 'GET,HEAD,POST',
     vary: 'Access-Control-Request-Headers',
     'content-length': '0'
   })
@@ -65,7 +65,7 @@ test('Should add access-control-allow-headers to response if preflight req has a
   }
   t.assert.deepStrictEqual(actualHeaders, {
     'access-control-allow-origin': '*',
-    'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE',
+    'access-control-allow-methods': 'GET,HEAD,POST',
     'access-control-allow-headers': 'x-requested-with',
     vary: 'Access-Control-Request-Headers',
     'content-length': '0'
@@ -98,7 +98,7 @@ test('Should reply to preflight requests with custom status code', async t => {
   }
   t.assert.deepStrictEqual(actualHeaders, {
     'access-control-allow-origin': '*',
-    'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE',
+    'access-control-allow-methods': 'GET,HEAD,POST',
     vary: 'Access-Control-Request-Headers',
     'content-length': '0'
   })
@@ -162,7 +162,7 @@ test('Should reply to all options requests', async t => {
   }
   t.assert.deepStrictEqual(actualHeaders, {
     'access-control-allow-origin': '*',
-    'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE',
+    'access-control-allow-methods': 'GET,HEAD,POST',
     vary: 'Access-Control-Request-Headers',
     'content-length': '0'
   })
@@ -204,7 +204,7 @@ test('Should support a prefix for preflight requests', async t => {
   }
   t.assert.deepStrictEqual(actualHeaders, {
     'access-control-allow-origin': '*',
-    'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE',
+    'access-control-allow-methods': 'GET,HEAD,POST',
     vary: 'Access-Control-Request-Headers',
     'content-length': '0'
   })
@@ -329,7 +329,7 @@ test('Should reply to all preflight requests when strictPreflight is disabled',
   }
   t.assert.deepStrictEqual(actualHeaders, {
     'access-control-allow-origin': '*',
-    'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE',
+    'access-control-allow-methods': 'GET,HEAD,POST',
     vary: 'Access-Control-Request-Headers',
     'content-length': '0'
   })
@@ -360,7 +360,7 @@ test('Default empty 200 response with preflightContinue on OPTIONS routes', asyn
   }
   t.assert.deepStrictEqual(actualHeaders, {
     'access-control-allow-origin': '*',
-    'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE',
+    'access-control-allow-methods': 'GET,HEAD,POST',
     vary: 'Access-Control-Request-Headers'
   })
 })
@@ -394,7 +394,7 @@ test('Can override preflight response with preflightContinue', async t => {
   }
   t.assert.deepStrictEqual(actualHeaders, {
     'access-control-allow-origin': '*',
-    'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE',
+    'access-control-allow-methods': 'GET,HEAD,POST',
     vary: 'Access-Control-Request-Headers'
   })
 })
@@ -429,7 +429,7 @@ test('Should support ongoing prefix ', async t => {
   }
   t.assert.deepStrictEqual(actualHeaders, {
     'access-control-allow-origin': '*',
-    'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE',
+    'access-control-allow-methods': 'GET,HEAD,POST',
     vary: 'Access-Control-Request-Headers',
     'content-length': '0'
   })
@@ -455,7 +455,7 @@ test('Should support ongoing prefix ', async t => {
   }
   t.assert.deepStrictEqual(actualHeaders, {
     'access-control-allow-origin': '*',
-    'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE',
+    'access-control-allow-methods': 'GET,HEAD,POST',
     vary: 'Access-Control-Request-Headers',
     'content-length': '0'
   })
@@ -481,7 +481,7 @@ test('Should support ongoing prefix ', async t => {
   }
   t.assert.deepStrictEqual(actualHeaders, {
     'access-control-allow-origin': '*',
-    'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE',
+    'access-control-allow-methods': 'GET,HEAD,POST',
     vary: 'Access-Control-Request-Headers',
     'content-length': '0'
   })

Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ You can use it as is without passing any option or you can configure it as expla`
`63`	`63`	`cb(new Error("Not allowed"), false)`
`64`	`64`	`}`
`65`	`65`	```
`66`		-* `methods`: Configures the Access-Control-Allow-Methods CORS header. Expects a comma-delimited string (e.g., 'GET,PUT,POST') or an array (e.g., `['GET', 'PUT', 'POST']`). Default: `GET,HEAD,PUT,PATCH,POST,DELETE`.
	`66`	+* `methods`: Configures the Access-Control-Allow-Methods CORS header. Expects a comma-delimited string (e.g., 'GET,PUT,POST') or an array (e.g., `['GET', 'PUT', 'POST']`). Default: [CORS-safelisted methods](https://fetch.spec.whatwg.org/#methods) `GET,HEAD,PUT`.
`67`	`67`	* `hook`: See [Custom Fastify hook name](#custom-fastify-hook-name). Default: `onRequest`.
`68`	`68`	* `allowedHeaders`: Configures the Access-Control-Allow-Headers CORS header. Expects a comma-delimited string (e.g., `'Content-Type,Authorization'`) or an array (e.g., `['Content-Type', 'Authorization']`). Defaults to reflecting the headers specified in the request's Access-Control-Request-Headers header if not specified.
`69`	`69`	* `exposedHeaders`: Configures the Access-Control-Expose-Headers CORS header. Expects a comma-delimited string (e.g., `'Content-Range,X-Content-Range'`) or an array (e.g., `['Content-Range', 'X-Content-Range']`). No custom headers are exposed if not specified.