CORS JSON configuration

Configure CORS by editing the cors-rules.json file that you created.

The JSON file must contain a single JSON object with two properties:

version {string}
Must be equal to "1.0".


rules {array<object>}
Must be an array of valid CORS rules.

The syntax of a rule object is defined as follows:

resource {object} (Required)

Describes how to match this rule with a request URL. Supports the following properties:
  • path {string} (Required) The resource path. Without startsWith or exact values, the CORS filter matches any request with a path that contains this value.
  • startsWith {boolean} (Optional) When true, the CORS filter matches only requests with a path that starts with the value of path.
  • exact {boolean} (Optional) When true, the CORS filter matches only requests with a path that is the exact value of path. The startsWith and exact properties are mutually exclusive.

allowOrigins {string | array<string>} (Required)

Specifies the list of allowed origins for this resource. Specify an array of strings where each element is an allowed origin host name, for example, "http://this.example.com". Only an origin that exactly matches one of these elements is allowed. For example, specify "http://this.example.com", "https://this.example.com", and "http://this.example.com:8080" to allow access through all of these URLs.

A value of "*" allows any origin. Its use is not recommended.

allowMethods {array<string>} (Required)

Specifies the list of allowed methods for this resource and origin. See Access-Control-Allow-Methods in the W3C Recommendation on Cross-Original Resource Sharing recommendation.

allowCredentials {boolean} (Optional)

When true, the CORS filter allows credentials for this resource and origin. See Access-Control-Allow-Credentials in the W3C Recommendation on Cross-Original Resource Sharing.

exposeHeaders {array<string>} (Optional)

Specifies the list of response headers to expose to XHR clients. This property causes the CORS filter to add an Access-Control-Expose-Headers header to responses to actual (not pre-flight) requests. Ultimately, the browser is responsible for exposing the headers to the XHR client. See Access-Control-Expose-Headers in the W3C Recommendation on Cross-Original Resource Sharing.