Skip to main content
Version: 2.6

cors

Summary#

Description#

cors plugin can help you enable CORS easily.

Attributes#

NameTypeRequirementDefaultValidDescription
allow_originsstringoptional"*"Which Origins is allowed to enable CORS, format as:scheme://host:port, for example: https://somehost.com:8081. Multiple origin use , to split. When allow_credential is false, you can use * to indicate allow any origin. you also can allow all any origins forcefully using ** even already enable allow_credential, but it will bring some security risks.
allow_methodsstringoptional"*"Which Method is allowed to enable CORS, such as: GET, POST etc. Multiple method use , to split. When allow_credential is false, you can use * to indicate allow all any method. You also can allow any method forcefully using ** even already enable allow_credential, but it will bring some security risks.
allow_headersstringoptional"*"Which headers are allowed to set in request when access cross-origin resource. Multiple value use , to split. When allow_credential is false, you can use * to indicate allow all request headers. You also can allow any header forcefully using ** even already enable allow_credential, but it will bring some security risks.
expose_headersstringoptional"*"Which headers are allowed to set in response when access cross-origin resource. Multiple value use , to split.
max_ageintegeroptional5Maximum number of seconds the results can be cached.. Within this time range, the browser will reuse the last check result. -1 means no cache. Please note that the maximum value is depended on browser, please refer to MDN for details.
allow_credentialbooleanoptionalfalseEnable request include credential (such as Cookie etc.). According to CORS specification, if you set this option to true, you can not use '*' for other options.
allow_origins_by_regexarrayoptionalnilUse regex expressions to match which origin is allowed to enable CORS, for example, [".*.test.com"] can use to match all subdomain of test.com

Tips

Please note that allow_credential is a very sensitive option, so choose to enable it carefully. After set it be true, the default * of other parameters will be invalid, you must specify their values explicitly. When using **, you must fully understand that it introduces some security risks, such as CSRF, so make sure that this security level meets your expectations before using it。

How To Enable#

Create a Route or Service object and configure cors plugin.

curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '{    "uri": "/hello",    "plugins": {        "cors": {}    },    "upstream": {        "type": "roundrobin",        "nodes": {            "127.0.0.1:8080": 1        }    }}'

Test Plugin#

curl to server, you will find the headers about CORS is be returned, which means plugin is working fine.

curl http://127.0.0.1:9080/hello -v...< Server: APISIX web server< Access-Control-Allow-Origin: *< Access-Control-Allow-Methods: *< Access-Control-Allow-Headers: *< Access-Control-Expose-Headers: *< Access-Control-Max-Age: 5...

Disable Plugin#

Remove plugin from configuration.

$ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '{    "uri": "/hello",    "plugins": {},    "upstream": {        "type": "roundrobin",        "nodes": {            "127.0.0.1:8080": 1        }    }}'