Skip to main content
Version: Next

CORS

Configure CORS headers via the settings.access.cors setting.

Example:

settings:
  access:
    cors:
      methods: [GET, POST, PUT, PATCH, DELETE, OPTIONS]
      headers:
        [
          "Content-Type",
          "Content-Language",
          "Authorization",
          "Accept",
          "Accept-Language",
        ]
        origins:
          - url: "https://domain.com"
          - url: "https://example.com/path"
            methods: [GET]
            headers: ["Content-Type"]

The cors.methods and cors.headers settings act as defaults for origins, which do not overwrite methods or headers.

note

Defaults for cors.methods and cors.headers are already defined as in the above

important

During preflight requests (OPTIONS) no authentication can be provided, this means using token configs is not possible, use the main config instead