npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

route-scoped-cors

v0.1.2

Published

Per-route CORS method scoping middleware for Express and NestJS — prevents HTTP verb tampering by advertising only the methods each route actually handles.

Downloads

499

Readme

route-scoped-cors

Per-route CORS method scoping middleware for Express and NestJS.

Instead of advertising every HTTP method on every route, this middleware inspects the Express router at runtime and sets Access-Control-Allow-Methods to only the methods actually registered for the matched path. This prevents HTTP verb tampering and gives browsers accurate preflight information.

How it works

  • OPTIONS preflight — responds 204 with the exact methods for that route.
  • Disallowed method — responds 405 Method Not Allowed with an Allow header.
  • Allowed method — passes through unchanged.
  • The route map is built lazily on the first request, so all routes are guaranteed to be registered before inspection.

Installation

npm install route-scoped-cors

Usage

Express

import express from 'express';
import { routeScopedCors } from 'route-scoped-cors';

const app = express();

// Must be added after routes are defined, or use install() which is lazy-safe
app.use(routeScopedCors());

app.get('/users', handler);
app.post('/users', handler);

Or use the install helper:

import { install } from 'route-scoped-cors';

const app = express();
install(app); // equivalent to app.use(routeScopedCors())

NestJS

Import RouteScopedCorsModule into your root module. It automatically applies the middleware to all routes via NestJS's configure() lifecycle hook — no extra wiring needed.

// app.module.ts
import { Module } from '@nestjs/common';
import { RouteScopedCorsModule } from 'route-scoped-cors/nestjs';

@Module({
  imports: [RouteScopedCorsModule.forRoot()],
})
export class AppModule {}

With options:

RouteScopedCorsModule.forRoot({
  fallbackMethods: ['GET', 'POST', 'OPTIONS'],
})

Options

| Option | Type | Default | Description | |---|---|---|---| | fallbackMethods | string[] | ['GET','POST','PUT','PATCH','DELETE','OPTIONS'] | Methods returned for unmatched or unknown paths |

Response behaviour

Preflight (OPTIONS)

HTTP/1.1 204 No Content
Access-Control-Allow-Methods: GET, POST, OPTIONS

Method not allowed

HTTP/1.1 405 Method Not Allowed
Allow: GET, POST

{
  "statusCode": 405,
  "message": "Method Not Allowed",
  "error": "DELETE is not supported on this resource. Allowed: GET, POST"
}

Notes

  • This middleware complements (not replaces) a CORS origin/headers package like cors. Set preflightContinue: true on your cors config so preflight requests reach this middleware.
  • The route map is cached after the first request. It does not update if routes are added dynamically at runtime.

License

MIT