Skip to main content

CORS

Description

The reverse proxy can support cross-origin resource sharing with CORS aware clients.

Each defined policy must at a minimum contain:

  • name
  • method
  • policy:allow_origins

This entry is an array and can be used to specify multiple CORS policies.

Properties

The following table(s) describe the configuration properties for this component:

Name Type Constraints Description
policy POLICY Object
paths array[string] The paths for which this CORS policy will be applied. This entry is an array and can be used to specify multiple paths.
host string The host (obtained from the host header in the request) for which this CORS policy will be applied. If no host header is specified all hosts will be matched.
name string The name which is associated with this CORS policy.
method string The HTTP method for which this CORS policy will be applied.

POLICY Object

The definition of the CORS policy.

Name Type Constraints Description
max_age number Minimum:-1
Maximum:unlimited
Maximum time (in seconds) a client should cache the results of a pre-flight request. A value of -1 indicates to clients that they should not cache, 0 indicates that clients may cache at their own discretion. Only valid if handle_pre_flight is set to true.
handle_pre_flight boolean Values: true,false The reverse proxy can respond to pre-flight requests using the information from this policy. If set to false, pre-flight requests will be forwarded to the protected application.
allow_headers array[string] Headers that are indicated as allowed in responses to pre-flight requests. Specifying no allow_header entries will indicate to clients that all headers are permitted. Not case-sensitive. Only valid if handle_pre_flight is set to true.
allow_methods array[string] Methods that are indicated as allowed in responses to pre-flight requests. Specifying no allow_method entries will indicate to clients that all methods are permitted. Case-sensitive. Only valid if handle_pre_flight is set to true.
expose_headers array[string] Indicates to clients which headers they expose from the response.
allow_origins array[string] A list of origins which are permitted to make cross-origin requests. To allow cross-origin requests from any origin, add a single entry '*'.
allow_credentials boolean Values: true,false Indicates to clients that authentication is required when accessing this resource.

Example

 policies:
         cors:
             - name: cors_policy_A
               host: www.test.com
               paths: 
                 - "/test"
                 - "/development"
               method: GET
               policy: 
                   allow_origins: 
                       - www.test.com
                       - www.example.com
                   handle_pre_flight: true
                   allow_headers: 
                       - test_header
                       - test_header2
                   max_age: 600
                   allow_methods: 
                       - update
                       - create
                   allow_credentials: true
                   expose_headers: 
                       - test_header
                       - test_header2