CORS
The CORS (Cross-Origin Resource Sharing) policy allows you to tailor how endpoints on your gateway respond to cross-origin requests.
Options
origin
Configures the Access-Control-Allow-Origin CORS header.
-
Boolean
: set origin to true to reflect the request origin, as defined byreq.header('Origin')
, or set it to false to disable CORS. -
String
: set origin to a specific origin. For example if you set it to "https://example.com/" only requests from "https://example.com/" will be allowed. -
RegExp
: set origin to a regular expression pattern which will be used to test request origin. If it's a match, the request origin will be reflected. For example the pattern/example\\.com$/
will reflect any request that is coming from an origin ending with "example.com". -
Array
: set origin to an array of valid origins. Each origin can be a String or a RegExp. For example["https://example1.com", /\\.example2\\.com$/]
will accept any request from "https://example1.com" or from a subdomain of "example2.com".
Default: "*"
(Allows all origins).
methods
Configures the Access-Control-Allow-Methods CORS header.
-
String
: a comma-delimited list of method names. For example,"GET,POST,PUT"
. -
Array
: an array of method names. For example,["GET", "POST", "PUT"]
.
Default: ["GET", "HEAD", "PUT", "PATCH", "POST", "DELETE"]
.
allowedHeaders (Optional)
Configures the Access-Control-Allow-Headers CORS header.
-
String
: a comma-delimited list of header names. For example,"Content-Type,Authorization"
. -
Array
: an array of header names. For example,["Content-Type", "Authorization"]
.
exposedHeaders (Optional)
Configures the Access-Control-Expose-Headers CORS header.
-
String
: a comma-delimited list of header names. For example,"Content-Range,X-Content-Range"
. -
Array
: an array of header names. For example,["Content-Range", "X-Content-Range"]
.
credentials (Optional)
Configures the Access-Control-Allow-Credentials CORS header.
Boolean
: set totrue
to enable credentials.
maxAge (Optional)
Configures the Access-Control-Max-Age CORS header.
Number
: set to a number of seconds to cache preflight requests.
optionsSuccessStatus
Configures the status code to be sent in response to a preflight request.
Number
: set to a status code.
Default: 204
.
Usage
Below are the default values for the CORS policy. You can use the defaults by setting cors: {}
, or you can customize the policy by specifying the values you want to change.
policyDefinitions:
cors:
origin: "*"
methods: ["GET", "HEAD", "PUT", "PATCH", "POST", "DELETE"]
optionsSuccessStatus: 204
endpoints:
- path: "/todos"
target:
url: "https://example.com/todos"
policies:
- cors
Powered by expressjs/cors