Skip to content
|
Plugin Hub
github-edit-pageEdit this page
report-issueReport an issue
header icon

CORS Configuration

By Kong Inc.
You are browsing documentation for an outdated plugin version.

Configuration

This plugin is compatible with DB-less mode.

Compatible protocols

The CORS plugin is compatible with the following protocols:

grpc, grpcs, http, https

Parameters

Here's a list of all the parameters which can be used in this plugin's configuration:

  • name or plugin

    string required

    The name of the plugin, in this case cors.

    • If using the Kong Admin API, Konnect API, declarative configuration, or decK files, the field is name.
    • If using the KongPlugin object in Kubernetes, the field is plugin.

  • service.name or service.id

    string

    The name or ID of the service the plugin targets. Set one of these parameters if adding the plugin to a service through the top-level /plugins endpoint. Not required if using /services/{serviceName|Id}/plugins.

  • route.name or route.id

    string

    The name or ID of the route the plugin targets. Set one of these parameters if adding the plugin to a route through the top-level /plugins endpoint. Not required if using /routes/{routeName|Id}/plugins.

  • enabled

    boolean default: true

    Whether this plugin will be applied.

  • config

    record required

    • origins

      array of type string

      List of allowed domains for the Access-Control-Allow-Origin header. If you want to allow all origins, add * as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.

    • headers

      array of type string

      Value for the Access-Control-Allow-Headers header.

    • exposed_headers

      array of type string

      Value for the Access-Control-Expose-Headers header. If not specified, no custom headers are exposed.

    • methods

      array of type string default: GET, HEAD, PUT, PATCH, POST, DELETE, OPTIONS, TRACE, CONNECT Must be one of: GET, HEAD, PUT, PATCH, POST, DELETE, OPTIONS, TRACE, CONNECT

      ‘Value for the Access-Control-Allow-Methods header. Available options include GET, HEAD, PUT, PATCH, POST, DELETE, OPTIONS, TRACE, CONNECT. By default, all options are allowed.’

    • max_age

      number

      Indicates how long the results of the preflight request can be cached, in seconds.

    • credentials

      boolean required default: false

      Flag to determine whether the Access-Control-Allow-Credentials header should be sent with true as the value.

    • preflight_continue

      boolean required default: false

      A boolean value that instructs the plugin to proxy the OPTIONS preflight request to the Upstream service.