Comma-separated string of origins to allow CORS.

If allow_credential is set to true, you can forcefully allow CORS on all origins by configuring the field to ** but sensitive data, such as authentication tokens or cookies, can get exposed to any malicious website.

You can also configure allow origins on a global scale using the plugin metadata, which configures the allow origins for all cors plugin instances. See the example for more details.

Comma-separated string of HTTP request methods to allow CORS.

If allow_credential is set to true, you can forcefully allow CORS on all methods by configuring the field to **, but a malicious actor can use HTTP methods, such as PUT or DELETE, to make unexpected modifications to shared resource and pose a security threat.

Comma-separated string of HTTP headers allowed in requests.

If allow_credential is set to true, you can forcefully allow CORS on all request headers by configuring the field to **, but it can potentially allow malicious headers to be sent to the server.

Comma-separated string of HTTP headers that should be made available in response to a cross-origin request.

If allow_credential is set to true, you can forcefully allow CORS on all response headers by configuring the field to **.

Maximum time in seconds for which the results of a preflight request can be cached. If the time is within this limit, the browser will check the cached result. To disable caching, set max_age to -1.

Note that the maximum value allowed is browser-dependent. See Access-Control-Max-Age for more details.

If true, allow requests to include credentials, such as cookies. According to CORS specification, when allow_credentials is set to true, you cannot use * for other CORS attributes.

To allow all origins, set the field to **. This can potentially allow sensitive user data, such as authentication tokens or cookies, to be exposed to malicious actors.

RegEx to match origins that allow CORS. When configured, only domains in this range will be allowed and any configuration in allow_origins will be ignored.

For example, ['.*\.test.com$'] can match all subdomains of test.com.

RegEx to match with origin for enabling access to the resource timing information. When configured, only domains matching the RegEx will be allowed and any configuration in timing_allow_origins will be ignored.

For example, ['.*\.test.com'] can match all subdomain of test.com.

Comma-separated string of origins to allow CORS.

If allow_credential is set to true, you can forcefully allow CORS on all origins by configuring the field to ** but sensitive data, such as authentication tokens or cookies, can get exposed to any malicious website.