Skip to content

Cross-Origin Resource Sharing (CORS)

EntryStore supports simple CORS requests (HEAD, GET, POST) as well as advanced CORS with preflight requests (OPTIONS with a consequent request using any allowed HTTP verb).

Configuration

The following settings can be used to activate and configure CORS:

entrystore.cors=on|off (default: off)
entrystore.cors.origins=*.domain.com,domain.net,something.* (mandatory if cors=on)
entrystore.cors.origins.allow-credentials=*.internal.domain.com (default: unset)
entrystore.cors.max-age=7200 (default: unset)
entrystore.cors.headers=X-Custom-Header (optional)

Details

  • The origins setting (Access-Control-Allow-Origin) defines a list of allowed origins. There is limited support for wildcards: a single wildcard is supported at the beginning or at the end of an origin. An origin may also be a wildcard only without any other surrounding characters. The value of this setting is a comma-separated list.
  • The max-age setting (Access-Control-Max-Age) is the duration in seconds for which the result of preflight requests should be cached.
  • The headers setting (controls both Access-Control-Allow-Headers and Access-Control-Expose-Headers) can be used to allow headers in addition to the (always allowed) simple response headers Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma. This value of this setting is a comma-separated list.
  • The entrystore.cors.origins.allow-credentials setting affects Access-Control-Allow-Credentials and determines whether cookies may be sent for origins that match the patterns.
  • Access-Control-Allow-Methods is always set to HEAD, GET, PUT, POST, DELETE, OPTIONS.