#nestJs cors origin response always return wildcard ' * '

Hi,
i'm facing CORS issue between react (http://localhost:3000) and nestJs (http://localhost:4000) I added the credentials: true to both front and back as i'm going to work with secured cookies.

Here the backend nestJs side:

origin: (origin: any, callback: any) => { if (allowedOrigins.indexOf(origin) !== -1 || !origin) { callback(null, true); } else { callback(new Error('Not allowed by CORS')); } }, credentials: true, methods: 'GET,PUT,POST,DELETE,UPDATE,OPTIONS', optionsSuccessStatus: 200,

and here the frontend React:
const axiosClient = axios.create({ baseURL: process.env.REACT_APP_BACKEND_URL, timeout: 1000 * 60 * 5, withCredentials: true, headers: { 'Content-Type': 'application/json', }

Then the response header 'Acces-Control-Allow-Origin: *" is always displayed (see attached screenshot)

Thank you very much

Maybe have a look at the underlying express cors implementation

I think origin expects a list of strings

https://expressjs.com/en/resources/middleware/cors.html#configuration-options
Ok your approach should work

I already tried:
origin: ['http://localhost:3000']
it's not working too...

anyone can help on this ? :/

Can you provide a reproduction?

Do you have either cors: true or app.enableCors() without paying any options? Those will set the origin header to *

i got even better for you: the gilab repo wth the incriminated branch : https://gitlab.com/fourmislabs/backend/-/tree/FMLB-88--back-implemtent-refresh-token-with-cookies

And yes i did the cors: true and app.enableCors() right

Remove the cors: true, that overrides the later enableCors because settings are already created and set

They both attach the middleware, IIRC, but the cors middleware itself won't overwrite headers if they already exist