Skip to content

Cross-Origin Resource Sharing (CORS)

EntryStore supports simple CORS requests (HEAD, GET, POST) as well as advanced CORS with preflight requests (OPTIONS with a consequent request using any allowed HTTP verb).


The following settings can be used to activate and configure CORS:

entrystore.cors=on|off (default: off)*,,something.* (mandatory if cors=on)* (default: unset)
entrystore.cors.max-age=7200 (default: unset)
entrystore.cors.headers=X-Custom-Header (optional)


  • The origins setting (Access-Control-Allow-Origin) defines a list of allowed origins. There is limited support for wildcards: a single wildcard is supported at the beginning or at the end of an origin. An origin may also be a wildcard only without any other surrounding characters. The value of this setting is a comma-separated list.
  • The max-age setting (Access-Control-Max-Age) is the duration in seconds for which the result of preflight requests should be cached.
  • The headers setting (controls both Access-Control-Allow-Headers and Access-Control-Expose-Headers) can be used to allow headers in addition to the (always allowed) simple response headers Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma. This value of this setting is a comma-separated list.
  • The setting affects Access-Control-Allow-Credentials and determines whether cookies may be sent for origins that match the patterns.
  • Access-Control-Allow-Methods is always set to HEAD, GET, PUT, POST, DELETE, OPTIONS.