policies/cors[]

The reverse proxy can support cross-origin resource sharing with CORS aware clients.
Each defined policy must at a minimum contain:

  • name
  • method
  • policy:allow_origins

This entry is an array and can be used to specify multiple CORS policies.

Properties

NameTypeConstraintsDescription
namestringThe name which is associated with this CORS policy.
hoststringThe host (obtained from the host header in the request) for which this CORS policy will be applied. If no host header is specified all hosts will be matched.
pathsArray of stringThe paths for which this CORS policy will be applied. This entry is an array and can be used to specify multiple paths.
methodstringThe HTTP method for which this CORS policy will be applied.
policypolicy

policies/cors[]/policy

The definition of the CORS policy.

Properties

NameTypeConstraintsDescription
allow_originsArray of stringA list of origins which are permitted to make cross-origin requests. To allow cross-origin requests from any origin, add a single entry *.
handle_pre_flightbooleanValues: true or false

Default value: false
The reverse proxy can respond to pre-flight requests using the information from this policy. If set to false, pre-flight requests will be forwarded to the protected application.
allow_headersArray of stringHeaders that are indicated as allowed in responses to pre-flight requests. Specifying no allow_header entries will indicate to clients that all headers are permitted. Not case-sensitive. Only valid if handle_pre_flight is set to true.
max_agenumberMinimum: -1

Maximum: unlimited

Default value: -1
Maximum time (in seconds) a client should cache the results of a pre-flight request. A value of -1 indicates to clients that they should not cache, 0 indicates that clients may cache at their own discretion. Only valid if handle_pre_flight is set to true.
allow_methodsArray of stringMethods that are indicated as allowed in responses to pre-flight requests. Specifying no allow_method entries will indicate to clients that all methods are permitted. Case-sensitive. Only valid if handle_pre_flight is set to true.
allow_credentialsbooleanValues: true or false

Default value: false
Indicates to clients that authentication is required when accessing this resource.
expose_headersArray of stringIndicates to clients which headers they expose from the response.

Example

policies:
  cors:
    - name: cors_policy_A
      host: www.test.com
      paths:
        - "/test"
        - "/development"
      method: GET
      policy:
        allow_origins:
          - www.test.com
          - www.example.com
        handle_pre_flight: true
        allow_headers:
          - test_header
          - test_header2
        max_age: 600
        allow_methods:
          - update
          - create
        allow_credentials: true
        expose_headers:
          - test_header
          - test_header2