CORS headers

Cross-origin resource sharing (CORS) allows you to pass resources that are usually restricted to an outside domain. Refer to MDN's documentation for more information on CORS headers.

data-variant=info

data-slots=text

To add CORS headers to your mesh, create a CORS object in the responseConfig object, using the following key-value pairs:

• origin (Required) - the scheme and domain of the resource you want to allow to make a CORS request
• methods (Required) - the HTTP request methods allowed in the CORS request, such as GET, POST, and OPTIONS
• allowedHeaders - a string of allowed headers in preflight requests
• credentials - a boolean value that indicates if credentials can be included in CORS request (default: false)
• exposedHeaders - a comma-delimited CORS request that contains headers to expose
• maxAge - the maximum number of seconds the preflight response (the values of the origin and methods headers) can be cached

When specifying a CORS origin, list all applicable origins. Do not enter * for the value, as this will return the request's origin.

The following examples show how to use CORS with a single origin or with multiple origins:

data-slots=heading, code

data-repeat=2

data-languages=json, json

{
  "meshConfig": {
    ...
    "responseConfig": {
      "CORS": {
        "origin": "https://www.<your-domain>.com",
        "methods": [
          "GET",
          "POST"
        ],
        "maxAge": 60480,
        "credentials": true,
        "exposedHeaders": [
          "Content-Range",
          "X-Content-Range"
        ]
      }
    }
    ...
  }
}

{
  "meshConfig": {
    ...
    "responseConfig": {
      "CORS": {
        "maxAge": 60480,
        "methods": [
          "GET",
          "POST",
          "PUT",
          "HEAD",
          "OPTIONS"
        ],
        "origin": ["<origin1>", "<origin2>"]
      }
    }
    ...
  }
}