CORS Policy
Description
A policy implementing CORS (Cross-origin resource sharing): a method of defining access to resources outside the originating domain. It is principally a security mechanism to prevent the loading of resources from unexpected domains, for instance via XSS injection attacks.
For further references, see:
Plugin
{
"groupId": "io.apiman.plugins",
"artifactId": "apiman-plugins-cors-policy",
"version": "3.2.0-SNAPSHOT"
}Configuration
The configuration options available, are:
| Option | Type | Description | Default |
|---|---|---|---|
errorOnCorsFailure |
Boolean |
Error on CORS failure When true, any request that fails CORS validation will be terminated with an appropriate error. When false, the request will still be sent to the backend API, but the browser will be left to enforce the CORS failure. In both cases valid CORS headers will be set. |
true |
allowOrigin |
Set<String> |
Access-Control-Allow-Origin
List of origins permitted to make CORS requests through the gateway. By default same-origin is permitted, and cross-origin is forbidden.
A special entry of |
Empty |
allowCredentials |
Boolean |
Access-Control-Allow-Credentials
Whether response may be exposed when the |
false |
exposeHeaders |
Set<String> |
Access-Control-Expose-Headers Which non-simple headers the browser may expose during CORS. |
Empty |
allowHeaders |
Set<String> |
Access-Control-Allow-Headers In response to preflight request, which headers can be used during actual request. |
Empty |
allowMethods |
Set<String> |
Access-Control-Allow-Methods In response to preflight request, which methods can be used during actual request. |
Empty |
maxAge |
Integer |
Access-Control-Max-Age How long preflight request can be cached in delta seconds. |
Not included |