Our website is made possible by displaying online advertisements to our visitors. Please consider supporting us by disabling your ad blocker.

Handling CORS In A Golang Web Application

TwitterFacebookRedditLinkedInHacker News

If you’ve ever spent time building RESTful APIs, you’ve probably come across cross-origin resource sharing (CORS) issues at some time or another. Often clients will receive errors when trying to interact with an API from a domain or port different from the actual API. Back in the day I had written a hacky article on getting past these CORS issues by manipulating the browser settings. However, it is best to tackle these issues at the source.

We’re going to see how to change the cross-origin resource sharing configuration in a Golang web application that uses the mux package.

If you’ve never built a web backend using the Go programming language, check out my previous tutorial on the subject titled, Create A Simple RESTful API With Golang.

By default, all requests made from cross-origin JavaScript to the request router will be blocked. Lucky for us, Gorilla, the same people who made the mux package, made a few other packages to help our cause.

Take for example the handlers package. It is an HTTP middleware where one of the things it does is handles CORS. Look at the following Go snippet:

import (

func main() {
    router := mux.NewRouter()
    log.Fatal(http.ListenAndServe(":3000", handlers.CORS(handlers.AllowedHeaders([]string{"X-Requested-With", "Content-Type", "Authorization"}), handlers.AllowedMethods([]string{"GET", "POST", "PUT", "HEAD", "OPTIONS"}), handlers.AllowedOrigins([]string{"*"}))(router)))

If you recall the previous tutorial, we were using the mux package like so:

func main() {
    router := mux.NewRouter()
    log.Fatal(http.ListenAndServe(":3000", router))

When using the handlers package we can define the request headers, request methods, and request origins that are allowed. Everything not in our allowed list will be blocked and throw cross-origin resource sharing issues.

To allow all origins, including those on different ports, we can make use of the wildcard asterisk character:


It took me a while to figure out, but the wildcard asterisk only works for AllowedOrigins. Using the asterisk in AllowedMethods and AllowedHeaders will have no affect.

Pay attention to the headers that are being sent with your request. While you might think that you’re only sending a Content-Type header, you may actually be sending more. You can easily figure out what is being sent in a request via Firebug for Firefox or Chrome Developer Tools.


Cross-origin resource sharing can be a pain in the butt if you’re not careful. However, it is very easy to define what is and isn’t allowed in requests via the handlers package in your Golang web application. Just pay attention to where your requests are coming from (the origin), and the headers as well as the methods of the request.

If you don’t have control over the backend, you can bypass the CORS issues via the browser by following this previous article I had written on the subject.

A video version of this article can be seen below.

Nic Raboy

Nic Raboy

Nic Raboy is an advocate of modern web and mobile development technologies. He has experience in C#, JavaScript, Golang and a variety of frameworks such as Angular, NativeScript, and Unity. Nic writes about his development experiences related to making web and mobile development easier to understand.