http-party · jelveh · Sep 21, 2025 · Sep 21, 2025
diff --git a/README.md b/README.md
@@ -69,7 +69,7 @@ with the provided Dockerfile.
 |`-b` or `--brotli`|When enabled it will serve `./public/some-file.js.br` in place of `./public/some-file.js` when a brotli compressed version of the file exists and the request accepts `br` encoding. If gzip is also enabled, it will try to serve brotli first. |`false`|
 |`-e` or `--ext`  |Default file extension if none supplied |`html` | 
 |`-s` or `--silent` |Suppress log messages from output  | |
-|`--cors` |Enable CORS via the `Access-Control-Allow-Origin` header  | |
+|`--cors` | Enable CORS via the `Access-Control-Allow-Origin: *` header. Optionally provide comma-separated values to add to `Access-Control-Allow-Headers`  | |
 |`-H` or `--header` |Add an extra response header (can be used several times)  | |
 |`-o [path]` |Open browser window after starting the server. Optionally provide a URL path to open. e.g.: -o /other/dir/ | |
 |`-c` |Set cache time (in seconds) for cache-control max-age header, e.g. `-c10` for 10 seconds. To disable caching, use `-c-1`.|`3600` |

diff --git a/bin/http-server b/bin/http-server
@@ -36,7 +36,8 @@ if (argv.h || argv.help) {
     '  -e --ext     Default file extension if none supplied [none]',
     '  -s --silent  Suppress log messages from output',
     '  --cors[=headers]   Enable CORS via the "Access-Control-Allow-Origin" header',
-    '                     Optionally provide CORS headers list separated by commas',
+    '                     When enabled, sets Access-Control-Allow-Origin to "*"',
+    '                     Optional value adds to Access-Control-Allow-Headers',
     '  -H',
     '  --header',
     '               Add an extra response header (can be used several times)',

diff --git a/doc/http-server.1 b/doc/http-server.1
@@ -59,8 +59,9 @@ Suppress log messages from output.
 
 .TP
 .BI \-\-cors " " [\fIHEADERS\fR]
-Enable CORS via the "Access-Control-Allow-Origin" header.
-Optionally provide CORS headers list separated by commas.
+Enable CORS by setting "Access-Control-Allow-Origin" to "*".
+Optional comma-separated headers list adds to "Access-Control-Allow-Headers".
+Default Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Range.
 
 .TP
 .BI \-H ", " \-\-header " " \fIHEADER\fR

diff --git a/lib/http-server.js b/lib/http-server.js
@@ -98,6 +98,9 @@ function HttpServer(options) {
     });
   }
 
+  // CORS configuration:
+  // --cors enables CORS by setting Access-Control-Allow-Origin to '*'
+  // --cors=header1,header2 also adds custom headers to Access-Control-Allow-Headers
   if (options.cors) {
     this.headers['Access-Control-Allow-Origin'] = '*';
     this.headers['Access-Control-Allow-Headers'] = 'Origin, X-Requested-With, Content-Type, Accept, Range';