cors plugin can help you enable CORS easily.
|allow_origins||string||optional||"*"||Which Origins is allowed to enable CORS, format as: |
|allow_methods||string||optional||"*"||Which Method is allowed to enable CORS, such as: |
|allow_headers||string||optional||"*"||Which headers are allowed to set in request when access cross-origin resource. Multiple value use |
|expose_headers||string||optional||"*"||Which headers are allowed to set in response when access cross-origin resource. Multiple value use |
|max_age||integer||optional||5||Maximum number of seconds the results can be cached. Within this time range, the browser will reuse the last check result. |
|allow_credential||boolean||optional||false||Enable request include credential (such as Cookie etc.). According to CORS specification, if you set this option to |
|allow_origins_by_regex||array||optional||nil||Use regex expressions to match which origin is allowed to enable CORS, for example, [".*.test.com"] can use to match all subdomain of test.com|
|allow_origins_by_metadata||array||optional||nil||Match which origin is allowed to enable CORS by referencing |
Please note that
allow_credentialis a very sensitive option, so choose to enable it carefully. After set it be
true, the default
*of other parameters will be invalid, you must specify their values explicitly. When using
**, you must fully understand that it introduces some security risks, such as CSRF, so make sure that this security level meets your expectations before using it。
|allow_origins||object||optional||A map from origin reference to allowed origins; its key is the reference used by |
#How To Enable
Service object and configure
curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
curl to server, you will find the headers about
CORS is be returned, which means plugin is working fine.
curl http://127.0.0.1:9080/hello -v
< Server: APISIX web server
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: *
< Access-Control-Allow-Headers: *
< Access-Control-Expose-Headers: *
< Access-Control-Max-Age: 5
When you want to disable the
cors plugin, it is very simple, you can delete the corresponding json configuration in the plugin configuration, no need to restart the service, it will take effect immediately:
$ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
cors plugin has been disabled now. It works for other plugins.