Skip to content

CORS Configuration Reference

The CORS (Cross-Origin Resource Sharing) configuration is common across all services. This reference documents the configuration options for controlling cross-origin HTTP requests.

For a comprehensive understanding of CORS, see MDN’s CORS documentation.

{
"cors": {
"enabled": "boolean",
"allowHeaders": "string[]",
"allowMethods": "string[]",
"credentials": "boolean",
"exposeHeaders": "string[]",
"maxAge": "number",
"origin": "string[]"
}
}
  • Type: boolean
  • Default: false
  • Description: Controls whether CORS is enabled for the service

Example configuration:

{
"cors": {
"allowHeaders": ["Authorization", "X-Requested-With", "X-Custom-Header"]
}
}

Effect on response headers:

Access-Control-Allow-Headers: Authorization, X-Requested-With, X-Custom-Header

Example configuration:

{
"cors": {
"allowMethods": ["GET", "POST", "OPTIONS"]
}
}

Effect on response headers:

Access-Control-Allow-Methods: GET, POST, OPTIONS

Example configuration:

Note: When credentials is true, the Access-Control-Allow-Origin header must be a specific origin (not *), so origin must be set accordingly.

{
"cors": {
"credentials": true,
"origin": ["https://app.example.com"]
}
}

Effect on response headers:

Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://app.example.com

Example configuration:

{
"cors": {
"exposeHeaders": ["X-Request-ID", "X-RateLimit-Limit", "X-RateLimit-Remaining", "X-RateLimit-Reset"]
}
}

Effect on response headers:

Access-Control-Expose-Headers: X-Request-ID, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset
  • Type: number
  • Default: 86400
  • Description: Duration in seconds browsers should cache CORS preflight responses
  • Unit: Seconds
  • Valid range: 0 to 86400 (24 hours)
  • See: MDN: Access-Control-Max-Age

Example configuration:

{
"cors": {
"maxAge": 3600 // Cache preflight results for 1 hour
}
}

Effect on response headers:

Access-Control-Max-Age: 3600
  • Type: string[]
  • Default: ["*"]
  • Description: List of allowed origins
  • Format: Array of domain strings or "*" for all origins
  • See: MDN: Access-Control-Allow-Origin

Example configuration with wildcard:

{
"cors": {
"origin": ["*"]
}
}

Effect on response headers:

Access-Control-Allow-Origin: *

Example configuration with specific origins:

{
"cors": {
"origin": ["https://app.example.com", "https://admin.example.com"]
}
}

Effect on response headers (varies based on request origin):

Access-Control-Allow-Origin: https://app.example.com
Vary: Origin
{
"cors": {
"enabled": false,
"origin": ["*"],
"credentials": false,
"allowMethods": ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
"exposeHeaders": [],
"allowHeaders": [],
"maxAge": 86400
}
}