From e073f124208765284efb9ba4edc2e4e25cd21cdc Mon Sep 17 00:00:00 2001
From: Stefan Peters <Stefan.Peters@gbv.de>
Date: Fri, 26 Mar 2021 12:28:04 +0100
Subject: [PATCH] Add access control headers

---
 server.js | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/server.js b/server.js
index b7fb8a9..77d2a83 100644
--- a/server.js
+++ b/server.js
@@ -36,6 +36,15 @@ export async function createServer(
   app.set("json spaces", 2)
 
   app.use((req, res, next) => {
+    if (req.headers.origin) {
+      // Allow all origins by returning the request origin in the header
+      res.setHeader("Access-Control-Allow-Origin", req.headers.origin)
+    } else {
+      // Fallback to * if there is no origin in header
+      res.setHeader("Access-Control-Allow-Origin", "*")
+    }
+    res.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept")
+    res.setHeader("Access-Control-Allow-Methods", "GET")
     res.setHeader("Access-Control-Expose-Headers", "X-Total-Count, Link")
     next()
   })