yujunjun/strapi
1
0
Fork 0
mirror of https://github.com/strapi/strapi.git synced 2025-07-23 09:00:19 +00:00
Code Issues Packages Projects Releases Wiki Activity
strapi/docs/security/cors.md
loicsaintroch 9f1a2ce51c Add docs about v2
2016-03-22 18:11:11 +01:00

1.7 KiB
Raw Blame History

title
CORS

Cross-Origin Resource Sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts, JavaScript, etc.) on a web page to be requested from another domain outside the domain from which the resource originated.

Configuration

Configuration:

  • Key: cors
  • Environment: development
  • Location: ./config/environments/development/security.json
  • Type: object

Example:

{
  "cors": {
    "origin": true,
    "expose": [
      "WWW-Authenticate",
      "Server-Authorization"
    ],
    "maxAge": 31536000,
    "credentials": true,
    "methods": [
      "GET",
      "POST",
      "PUT",
      "DELETE",
      "OPTIONS",
      "HEAD"
    ],
    "headers": [
      "Content-Type",
      "Authorization"
    ]
  }
}

Options:

  • origin (string|boolean): Configures the Access-Control-Allow-Origin CORS header. Expects a string (ex: http://example.com) or a boolean. Set to true to reflect the request origin, as defined by req.header('Origin'). Set to false to disable CORS.
  • expose (array): Configures the Access-Control-Expose-Headers CORS header. Set this to pass the header, otherwise it is omitted.
  • maxAge (integer): Configures the Access-Control-Max-Age CORS header. Set to an integer to pass the header, otherwise it is omitted.
  • credentials (boolean): Configures the Access-Control-Allow-Credentials CORS header. Set to true to pass the header, otherwise it is omitted.
  • methods (array): Configures the Access-Control-Allow-Methods CORS header.
  • headers (array): Configures the Access-Control-Allow-Headers CORS header. If not specified, defaults to reflecting the headers specified in the request's Access-Control-Request-Headers header.

Notes:

  • Set to false to disable CORS.