Skip to main content

Parameters

See plugin common configurations for configuration options available to all plugins.

  • allow_origins

    string

    default: *

    Comma-separated string of origins to allow CORS.

    If allow_credential is set to true, you can forcefully allow CORS on all origins by configuring the field to ** but sensitive data, such as authentication tokens or cookies, can get exposed to any malicious website.

    You can also configure allow origins on a global scale using the plugin metadata, which configures the allow origins for all cors plugin instances. See the example for more details.

  • allow_methods

    string

    default: *

    Comma-separated string of HTTP request methods to allow CORS.

    If allow_credential is set to true, you can forcefully allow CORS on all methods by configuring the field to **, but a malicious actor can use HTTP methods, such as PUT or DELETE, to make unexpected modifications to shared resource and pose a security threat.

  • allow_headers

    string

    default: *

    Comma-separated string of HTTP headers allowed in requests.

    If allow_credential is set to true, you can forcefully allow CORS on all request headers by configuring the field to **, but it can potentially allow malicious headers to be sent to the server.

  • expose_headers

    string

    default: *

    Comma-separated string of HTTP headers that should be made available in response to a cross-origin request.

    If allow_credential is set to true, you can forcefully allow CORS on all response headers by configuring the field to **.

  • max_age

    integer

    default: 5

    Maximum time in seconds for which the results of a preflight request can be cached. If the time is within this limit, the browser will check the cached result. To disable caching, set max_age to -1.

    Note that the maximum value allowed is browser-dependent. See Access-Control-Max-Age for more details.

  • allow_credential

    boolean

    default: false

    If true, allow requests to include credentials, such as cookies. According to CORS specification, when allow_credentials is set to true, you cannot use * for other CORS attributes.

    To allow all origins, set the field to **. This can potentially allow sensitive user data, such as authentication tokens or cookies, to be exposed to malicious actors.

  • allow_origins_by_regex

    array[string]

    RegEx to match origins that allow CORS. When configured, only domains in this range will be allowed and any configuration in allow_origins will be ignored.

    For example, ['.*\.test.com$'] can match all subdomains of test.com.

  • allow_origins_by_metadata

    array[string]

    Origins to enable CORS referenced from allow_origins set in the plugin metadata. For example, if allow_origins: {'EXAMPLE': 'https://example.com'} is set in the plugin metadata, then ['EXAMPLE'] can be used to allow CORS on the origin https://example.com.

  • timing_allow_origins

    string

    Comma-separated string of origins to allow to access the resource timing information. See Timing-Allow-Origin for more details.

  • timing_allow_origins_by_regex

    array[string]

    RegEx to match with origin for enabling access to the resource timing information. When configured, only domains matching the RegEx will be allowed and any configuration in timing_allow_origins will be ignored.

    For example, ['.*\.test.com'] can match all subdomain of test.com.

API7.ai Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.

Product

API7 Cloud
API7 Enterprise
API Portal
Roadmap

Open Source

Apache APISIX
K8s Ingress Controller
wasm-nginx-module
Contributor Graph

Resources

Blog
Documentation
NGINX + Lua
APISIX vs Kong
APISIX vs NGINX

Company

About
Contact
Compliance Standards
Partners
Terms & Privacy
SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN Ltd. 2019 – 2024. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation