Skip to content
← Back to Guides

How can I enable CORS on Vercel?

The Vercel platform allows developers to specify response headers when a request comes in. It is a common pattern to allow CORS requests for Serverless Function invocations and for static assets.

Understanding CORS

Before enabling this feature for your website, it is important to understand what "Cross-Origin Resource Sharing" is. It is particularly important to be aware of the security implications when allowing your API to be fetched from all origins. We recommend that you take a look at the following articles before proceeding:

Enabling CORS in a single Node.js Serverless Function

Once you understand what CORS is and the potential risks of enabling it, you can do so by configuring a few headers in the response object.

const allowCors = fn => async (req, res) => {
  res.setHeader('Access-Control-Allow-Credentials', true)
  res.setHeader('Access-Control-Allow-Origin', '*')
  // another common pattern
  // res.setHeader('Access-Control-Allow-Origin', req.headers.origin);
  res.setHeader('Access-Control-Allow-Methods', 'GET,OPTIONS,PATCH,DELETE,POST,PUT')
  res.setHeader(
    'Access-Control-Allow-Headers',
    'X-CSRF-Token, X-Requested-With, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version'
  )
  if (req.method === 'OPTIONS') {
    res.status(200).end()
    return
  }
  return await fn(req, res)
}


const handler = (req, res) => {
  const d = new Date()
  res.end(d.toString())
}


module.exports = allowCors(handler)
An example of how to enable CORS using Node.js Serverless Functions deployed on Vercel.

The allowCors function acts as a wrapper, enabling CORS for the Serverless Function passed to it. This is a common pattern when using middleware in Serverless Functions and can be applied to multiple scenarios.

Enabling CORS in a Next.js App

In the next.config.js file, a "headers" function can be created:

next.config.js
module.exports = {
  async headers() {
    return [
      {
        // matching all API routes
        source: "/api/:path*",
        headers: [
          { key: "Access-Control-Allow-Credentials", value: "true" },
          { key: "Access-Control-Allow-Origin", value: "*" },
          { key: "Access-Control-Allow-Methods", value: "GET,OPTIONS,PATCH,DELETE,POST,PUT" },
          { key: "Access-Control-Allow-Headers", value: "X-CSRF-Token, X-Requested-With, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version" },
        ]
      }
    ]
  }
};
An example of how to enable CORS using Next.js routing configuration.

The headers() function allows you to define paths associated with a set of headers. It can be useful to allow CORS in multiple routes.

Enabling CORS using vercel.json

If you are not using Next.js, you can still enable headers in multiple paths by using the Vercel configuration file.

Create a new vercel.json with a new "headers" key:

{
  "headers": [
    {
      "source": "/api/(.*)",
      "headers": [
        { "key": "Access-Control-Allow-Credentials", "value": "true" },
        { "key": "Access-Control-Allow-Origin", "value": "*" },
        { "key": "Access-Control-Allow-Methods", "value": "GET,OPTIONS,PATCH,DELETE,POST,PUT" },
        { "key": "Access-Control-Allow-Headers", "value": "X-CSRF-Token, X-Requested-With, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version" }
      ]
    }
  ]
}
An example of how to enable CORS using the Vercel headers configuration.

Couldn't find the guide you need?