Skip to main content
Version: 4.x

Handling CORS


Since Socket.IO v3, you need to explicitly enable Cross-Origin Resource Sharing (CORS).

const io = require("")(httpServer, {  cors: {    origin: "",    methods: ["GET", "POST"]  }});

All options will be forwarded to the cors package. The complete list of options can be found here.

Example with cookies (withCredentials) and additional headers:

// server-sideconst io = require("")(httpServer, {  cors: {    origin: "",    methods: ["GET", "POST"],    allowedHeaders: ["my-custom-header"],    credentials: true  }});
// client-sideconst io = require("");const socket = io("", {  withCredentials: true,  extraHeaders: {    "my-custom-header": "abcd"  }});

Note: this also applies to localhost if your web application and your server are not served from the same port

const io = require("")(httpServer, {  cors: {    origin: "http://localhost:8080",    methods: ["GET", "POST"]  }});

You can disallow all cross-origin requests with the allowRequest option:

const io = require("")(httpServer, {  allowRequest: (req, callback) => {    const noOriginHeader = req.headers.origin === undefined;    callback(null, noOriginHeader);  }});


Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at xxx/ (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

If you have properly configured your server (see above), this could mean that your browser wasn't able to reach the Socket.IO server.

The following command:

curl ""

should return something like:


If that's not the case, please check that your server is listening and is actually reachable on the given port.