CORS policy lets you to manage Cross-Origin Resource Sharing headers for your consumers.
This is a strict implementation of W3C recommendations REC-cors-20140116. You can also have a look to Mozilla website for an overview of CORS.
This policy is a substitution of the CORS management from backend API. Thus, backend will never be invoked in case of pre-flight request (OPTIONS requests). For other requests, CORS headers will be set during the on-response phase.
You can configure the policy with the following options :
| Property | Required | Description | Type | Default |
|---|---|---|---|---|
accessControlAllowOrigin |
X |
The origin parameter specifies a URI that may access the resource |
string |
- |
accessControlAllowMethods |
X |
Specifies the method or methods allowed when accessing the resource. This is used in response to a preflight request |
Array of HTTP methods |
- |
accessControlAllowHeaders |
X |
Used in response to a preflight request to indicate which HTTP headers can be used when making the actual request |
Array of HTTP headers |
- |
accessControlAllowCredentials |
- |
Indicates whether or not the response to the request can be exposed when the credentials flag is true. |
boolean |
false |
accessControlMaxAge |
- |
This header indicates how long the results of a preflight request can be cached (-1 if disabled). |
integer |
-1 |
accessControlExposeHeaders |
- |
This header lets a server whitelist headers that browsers are allowed to access. |
Array of HTTP headers |
- |
"cors": {
"accessControlAllowOrigin": "http://localhost",
"accessControlExposeHeaders": [
"X-Gravitee-Api-Key"
],
"accessControlMaxAge": -1,
"accessControlAllowCredentials": true,
"accessControlAllowMethods": [
"GET",
"POST",
"PUT"
],
"accessControlAllowHeaders": [
"X-Gravitee-Api-Key"
]
}