CORS Policy

Description

A policy implementing CORS (Cross-origin resource sharing): a method of defining access to resources outside the originating domain. It is principally a security mechanism to prevent the loading of resources from unexpected domains, for instance via XSS injection attacks.

For further references, see:

Plugin

{
    "groupId": "io.apiman.plugins",
    "artifactId": "apiman-plugins-cors-policy",
    "version": "3.0.0.Final"
}

Configuration

The configuration options available, are:

Table 1. CORS policy configuration
Option Type Description Default

errorOnCorsFailure

Boolean

Error on CORS failure When true, any request that fails CORS validation will be terminated with an appropriate error. When false, the request will still be sent to the backend API, but the browser will be left to enforce the CORS failure. In both cases valid CORS headers will be set.

true

allowOrigin

Set<String>

Access-Control-Allow-Origin List of origins permitted to make CORS requests through the gateway. By default same-origin is permitted, and cross-origin is forbidden. A special entry of * permits all CORS requests.

Empty

allowCredentials

Boolean

Access-Control-Allow-Credentials Whether response may be exposed when the credentials flag is set to true on the request.

false

exposeHeaders

Set<String>

Access-Control-Expose-Headers Which non-simple headers the browser may expose during CORS.

Empty

allowHeaders

Set<String>

Access-Control-Allow-Headers In response to preflight request, which headers can be used during actual request.

Empty

allowMethods

Set<String>

Access-Control-Allow-Methods In response to preflight request, which methods can be used during actual request.

Empty

maxAge

Integer

Access-Control-Max-Age How long preflight request can be cached in delta seconds.

Not included

Sample Configuration

{
   "exposeHeaders" : [
      "X-REQUESTS-REMAINING"
   ],
   "maxAge" : 9001,
   "allowOrigin" : [
      "https://foo.example",
      "https://bar.example"
   ],
   "errorOnCorsFailure" : true,
   "allowCredentials" : false,
   "allowMethods" : [
      "POST"
   ],
   "allowHeaders" : [
      "X-CUSTOM-HEADER"
   ]
}