We Have Moved
The IBM Application Gateway has a new home - docs.verify.ibm.com/gateway
The documentation on this site will no longer be maintained after v21.02, please update your bookmarks.
CORS
Description
The reverse proxy can support cross-origin resource sharing with CORS aware clients.
Each defined policy must at a minimum contain:
- name
- method
- policy:allow_origins
This entry is an array and can be used to specify multiple CORS policies.
Properties
The following table(s) describe the configuration properties for this component:
| Name | Type | Constraints | Description |
|---|---|---|---|
| policy | POLICY Object | ||
| paths | array[string] | The paths for which this CORS policy will be applied. This entry is an array and can be used to specify multiple paths. |
|
| host | string | The host (obtained from the host header in the request) for which this CORS policy will be applied. If no host header is specified all hosts will be matched. |
|
| name | string | The name which is associated with this CORS policy. |
|
| method | string | The HTTP method for which this CORS policy will be applied. |
POLICY Object
The definition of the CORS policy.
| Name | Type | Constraints | Description |
|---|---|---|---|
| max_age | number | Minimum:-1 Maximum:unlimited Default:-1 |
Maximum time (in seconds) a client should cache the results of a pre-flight request. A value of -1 indicates to clients that they should not cache, 0 indicates that clients may cache at their own discretion. Only valid if handle_pre_flight is set to true. |
| handle_pre_flight | boolean | Values: true,false Default:false |
The reverse proxy can respond to pre-flight requests using the information from this policy. If set to false, pre-flight requests will be forwarded to the protected application. |
| allow_headers | array[string] | Headers that are indicated as allowed in responses to pre-flight requests. Specifying no allow_header entries will indicate to clients that all headers are permitted. Not case-sensitive. Only valid if handle_pre_flight is set to true. |
|
| allow_methods | array[string] | Methods that are indicated as allowed in responses to pre-flight requests. Specifying no allow_method entries will indicate to clients that all methods are permitted. Case-sensitive. Only valid if handle_pre_flight is set to true. |
|
| expose_headers | array[string] | Indicates to clients which headers they expose from the response. |
|
| allow_origins | array[string] | A list of origins which are permitted to make cross-origin requests. To allow cross-origin requests from any origin, add a single entry '*'. |
|
| allow_credentials | boolean | Values: true,false Default:false |
Indicates to clients that authentication is required when accessing this resource. |
Example
policies:
cors:
- name: cors_policy_A
host: www.test.com
paths:
- "/test"
- "/development"
method: GET
policy:
allow_origins:
- www.test.com
- www.example.com
handle_pre_flight: true
allow_headers:
- test_header
- test_header2
max_age: 600
allow_methods:
- update
- create
allow_credentials: true
expose_headers:
- test_header
- test_header2