Merge pull request #4368 from gofiber/copilot/optimize-cors-origin-lookup

ReneWerner87 · web-flow · commit 0ca42490d243 · 2026-05-28T07:29:43.000+02:00
⚡ perf: Optimize CORS exact-origin lookup to O(1)
diff --git a/middleware/cors/cors.go b/middleware/cors/cors.go
@@ -1,7 +1,6 @@
 package cors
 
 import (
-	"slices"
 	"strconv"
 	"strings"
 
@@ -53,9 +52,9 @@ func New(config ...Config) fiber.Handler {
 		log.Warn("[CORS] Both 'AllowOrigins' and 'AllowOriginsFunc' have been defined.")
 	}
 
-	// allowOrigins is a slice of strings that contains the allowed origins
+	// allowOrigins is a set of strings that contains the allowed origins
 	// defined in the 'AllowOrigins' configuration.
-	allowOrigins := []string{}
+	allowOrigins := make(map[string]struct{}, len(cfg.AllowOrigins))
 	allowSubOrigins := []subdomain{}
 
 	// Validate and normalize static AllowOrigins
@@ -84,7 +83,7 @@ func New(config ...Config) fiber.Handler {
 			if !isValid {
 				panic("[CORS] Invalid origin format in configuration: " + maskValue(trimmedOrigin))
 			}
-			allowOrigins = append(allowOrigins, normalizedOrigin)
+			allowOrigins[normalizedOrigin] = struct{}{}
 		}
 	}
 
@@ -141,7 +140,7 @@ func New(config ...Config) fiber.Handler {
 			allowOrigin = "*"
 		} else {
 			// Check if the origin is in the list of allowed origins
-			if slices.Contains(allowOrigins, originHeader) {
+			if _, ok := allowOrigins[originHeader]; ok {
 				allowOrigin = originHeaderRaw
 			}
 
diff --git a/middleware/cors/cors_test.go b/middleware/cors/cors_test.go
@@ -101,6 +101,23 @@ func Test_CORS_Preserve_Origin_Case(t *testing.T) {
 	require.Equal(t, origin, string(ctx.Response.Header.Peek(fiber.HeaderAccessControlAllowOrigin)))
 }
 
+func Test_CORS_AllowOrigins_NormalizedExactLookup(t *testing.T) {
+	t.Parallel()
+
+	app := fiber.New()
+	app.Use(New(Config{AllowOrigins: []string{" HTTP://EXAMPLE.COM/ "}}))
+
+	origin := "http://example.com"
+
+	ctx := &fasthttp.RequestCtx{}
+	ctx.Request.Header.SetMethod(fiber.MethodOptions)
+	ctx.Request.Header.Set(fiber.HeaderAccessControlRequestMethod, fiber.MethodGet)
+	ctx.Request.Header.Set(fiber.HeaderOrigin, origin)
+	app.Handler()(ctx)
+
+	require.Equal(t, origin, string(ctx.Response.Header.Peek(fiber.HeaderAccessControlAllowOrigin)))
+}
+
 func testDefaultOrEmptyConfig(t *testing.T, app *fiber.App) {
 	t.Helper()
 

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,6 @@`
`1`	`1`	`package cors`
`2`	`2`
`3`	`3`	`import (`
`4`		`- "slices"`
`5`	`4`	`"strconv"`
`6`	`5`	`"strings"`
`7`	`6`
`@@ -53,9 +52,9 @@ func New(config ...Config) fiber.Handler {`
`53`	`52`	`log.Warn("[CORS] Both 'AllowOrigins' and 'AllowOriginsFunc' have been defined.")`
`54`	`53`	`}`
`55`	`54`
`56`		`- // allowOrigins is a slice of strings that contains the allowed origins`
	`55`	`+ // allowOrigins is a set of strings that contains the allowed origins`
`57`	`56`	`// defined in the 'AllowOrigins' configuration.`
`58`		`- allowOrigins := []string{}`
	`57`	`+ allowOrigins := make(map[string]struct{}, len(cfg.AllowOrigins))`
`59`	`58`	`allowSubOrigins := []subdomain{}`
`60`	`59`
`61`	`60`	`// Validate and normalize static AllowOrigins`
`@@ -84,7 +83,7 @@ func New(config ...Config) fiber.Handler {`
`84`	`83`	`if !isValid {`
`85`	`84`	`panic("[CORS] Invalid origin format in configuration: " + maskValue(trimmedOrigin))`
`86`	`85`	`}`
`87`		`- allowOrigins = append(allowOrigins, normalizedOrigin)`
	`86`	`+ allowOrigins[normalizedOrigin] = struct{}{}`
`88`	`87`	`}`
`89`	`88`	`}`
`90`	`89`
`@@ -141,7 +140,7 @@ func New(config ...Config) fiber.Handler {`
`141`	`140`	`allowOrigin = "*"`
`142`	`141`	`} else {`
`143`	`142`	`// Check if the origin is in the list of allowed origins`
`144`		`- if slices.Contains(allowOrigins, originHeader) {`
	`143`	`+ if _, ok := allowOrigins[originHeader]; ok {`
`145`	`144`	`allowOrigin = originHeaderRaw`
`146`	`145`	`}`
`147`	`146`