Skip to main content

Enable CORS

The CORS plugin allows users to enable the Cross-Origin Resource Sharing mechanism on API7 Cloud.

You can configure the CORS plugin in a service or a route.

  1. If you configure the CORS plugin only for a service, it'll affect all routes in it.
  2. If you configure the CORS plugin only for route, then the CORS plugin only affects this route.
  3. If you configure the CORS plugin for both the service and the route, the CORS plugin in route takes precedence.

How to Configure CORS Plugin

You can configure the CORS plugin when creating or updating a service or route.

CORS Plugin

In the above image, you can see:

  1. Access-Control-Allow-Origin is set to
  2. Access-Control-Allow-Methods is set to GET.
  3. Access-Control-Max-Age is set to 5 (seconds).
  4. Access-Control-Allow-Credentials is false.
  5. Access-Control-Allow-Headers and Access-Control-Expose-Headers are set to *.

How to Test the CORS Plugin

First, deploy a gateway instance and connect to the API7 Cloud. Please see Add a gateway instance and connect it to the API7 Cloud to learn the details.

Then we can send a request to verify the CORS plugin.

curl -H 'Host:' -H 'Origin:' -X OPTIONS -i
HTTP/1.1 200 OK
Date: Wed, 13 Apr 2022 07:07:53 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/2.15.0
Vary: Origin
Access-Control-Allow-Methods: GET
Access-Control-Max-Age: 5
Access-Control-Expose-Headers: *
Access-Control-Allow-Headers: *

As you can see, the CORS headers are the same as the ones in the above image that we set.


the CORS plugin overrides the CORS headers from upstream. But the Access-Control-Allow-Credentials header is special. The CORS plugin doesn't set this header if the value is false. So in such a case, if you still see the Access-Control-Allow-Credentials header in the response, it means that it's your upstream set it.

What's Next Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.


API7 Cloud

SOC2 Type IRed Herring

Copyright © APISEVEN Ltd. 2019 – 2024. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation