Skip to main content
Version: 2.x

Handling CORS


As of Socket.IO v2, the server will automatically add the necessary headers in order to support Cross-Origin Resource Sharing (CORS)

The origins option should be used to provide a list of authorized domains:

const io = require("")(httpServer, {
origins: [""]

Please note that by default, ALL domains are authorized. You should explicitly allow/disallow cross-origin requests in order to keep your application secure:

  • without CORS (server and client are served from the same domain):
const io = require("")(httpServer, {
allowRequest: (req, callback) => {
callback(null, req.headers.origin === undefined); // cross-origin requests will not be allowed
  • with CORS (server and client are served from distinct domains):["http://localhost:3000"]); // for local development[""]);

The handlePreflightRequest option can be used to customize the Access-Control-Allow-xxx headers sent in response to the preflight request.

Example with cookies (withCredentials) and additional headers:

// server-side
const io = require("")(httpServer, {
origins: [""],

handlePreflightRequest: (req, res) => {
res.writeHead(200, {
"Access-Control-Allow-Origin": "",
"Access-Control-Allow-Methods": "GET,POST",
"Access-Control-Allow-Headers": "my-custom-header",
"Access-Control-Allow-Credentials": true

// client-side
const io = require("");
const socket = io("", {
withCredentials: true,
transportOptions: {
polling: {
extraHeaders: {
"my-custom-header": "abcd"


Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at xxx/ (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

If you have properly configured your server (see above), this could mean that your browser wasn't able to reach the Socket.IO server.

The following command:

curl ""

should return something like:


If that's not the case, please check that your server is listening and is actually reachable on the given port.