Cross-Origin Resource Sharing (CORS) is a W3C standard. It allows web application servers to perform cross-origin access control, so that cross-origin data transfer can be conducted securely. Currently, API Gateway supports configuring CORS rules to allow or deny corresponding cross-origin requests as needed.
If the default CORS configuration of API Gateway cannot meet your needs, you can configure custom complex CORS rules through the CORS plugin and bind them to APIs for taking effect.
Parameter | Required | Description |
---|---|---|
Origin | Yes | Specify the origins of allowed cross-origin requests; You can specify multiple origins and separate them by commas; You can configure * , which means that all domain names are allowed; Be careful not to omit the protocol name http or https . If the port is not the default port 80, you also need to include the port. |
Method | Yes | GET, PUT, POST, DELETE, and HEAD methods are supported. You can enumerate one or more allowed CORS request methods. |
Allow-Headers | No | Specify the custom HTTP request headers that can be used for subsequent OPTIONS requests; You can specify multiple headers and separate them by commas; You can configure * , which means that all header are allowed; If you leave this parameter empty, all headers will be denied. |
Expose-Headers | No | Specify the headers that can be exposed to the XMLHttpRequest object; You can specify multiple headers and separate them by commas; You can configure * , which means that all header are allowed; If you leave this parameter empty, all headers will be denied. |
Allow Cookies | No | Specify whether to allow cookies. |
Max-Age | Yes | Set the validity period of the result obtained by OPTIONS in seconds. The value must be a positive integer, such as 600. |
{
"allow_origin":[ // Allowed origins. * is supported, indicating that all domain names are allowed
"*"
],
"allow_methods":[ // Allowed method. Valid values: GET, PUT, POST, DELETE, HEAD
"PUT",
"GET",
"POST",
"DELETE",
"HEAD"
],
"allow_headers":[ // Allowed request headers. * is supported, indicating that all headers are allowed
"X-Api-ID"
],
"expose_headers":[ // Headers that can be exposed to the `XMLHttpRequest` object. * is supported, indicating that all headers are allowed
"X-Api-ID"
],
"allow_credentials":true, // Whether to allow cookies
"max_age":600 // Validity period of the result obtained by `OPTIONS` in seconds. The value must be a positive integer, such as 600
}
Currently, there are two places in API Gateway where you can set CORS rules:
Access-Control-Allow-Origin : *
in the response header by default.The CORS plugin has a higher priority than the CORS is supported configuration item. When the former is bound to an API, the latter of the API will not take effect.
Was this page helpful?