CORS
policies/cors[]
The reverse proxy can support cross-origin resource sharing with CORS aware clients.
Each defined policy must at a minimum contain:
- name
- method
- policy:allow_origins
This entry is an array and can be used to specify multiple CORS policies.
Properties
Name | Type | Constraints | Description |
---|---|---|---|
name | string | The name which is associated with this CORS policy. | |
host | string | The host (obtained from the host header in the request) for which this CORS policy will be applied. If no host header is specified all hosts will be matched. | |
paths | Array of string | The paths for which this CORS policy will be applied. This entry is an array and can be used to specify multiple paths. | |
method | string | The HTTP method for which this CORS policy will be applied. | |
policy | policy |
policies/cors[]/policy
The definition of the CORS policy.
Properties
Name | Type | Constraints | Description |
---|---|---|---|
allow_origins | Array of string | A list of origins which are permitted to make cross-origin requests. To allow cross-origin requests from any origin, add a single entry * . | |
handle_pre_flight | boolean | Values: true or false Default value: false | The reverse proxy can respond to pre-flight requests using the information from this policy. If set to false, pre-flight requests will be forwarded to the protected application. |
allow_headers | Array of string | Headers that are indicated as allowed in responses to pre-flight requests. Specifying no allow_header entries will indicate to clients that all headers are permitted. Not case-sensitive. Only valid if handle_pre_flight is set to true. | |
max_age | number | Minimum: -1 Maximum: unlimited Default value: -1 | Maximum time (in seconds) a client should cache the results of a pre-flight request. A value of -1 indicates to clients that they should not cache, 0 indicates that clients may cache at their own discretion. Only valid if handle_pre_flight is set to true. |
allow_methods | Array of string | Methods that are indicated as allowed in responses to pre-flight requests. Specifying no allow_method entries will indicate to clients that all methods are permitted. Case-sensitive. Only valid if handle_pre_flight is set to true. | |
allow_credentials | boolean | Values: true or false Default value: false | Indicates to clients that authentication is required when accessing this resource. |
expose_headers | Array of string | Indicates to clients which headers they expose from the response. |
Example
policies:
cors:
- name: cors_policy_A
host: www.test.com
paths:
- "/test"
- "/development"
method: GET
policy:
allow_origins:
- www.test.com
- www.example.com
handle_pre_flight: true
allow_headers:
- test_header
- test_header2
max_age: 600
allow_methods:
- update
- create
allow_credentials: true
expose_headers:
- test_header
- test_header2
Updated over 2 years ago