Configuration

<init>

CORS feature configuration

allowCredentials

Allow sending credentials

allowNonSimpleContentTypes

Allow sending requests with non-simple content-types. The following content types are considered simple:

allowSameOrigin

Allow requests from the same origin

exposedHeaders

Exposed HTTP headers that could be accessed by a client

headers

Allowed CORS headers

hosts

Allowed CORS hosts

maxAge

Max-Age for cached CORS options

maxAgeInSeconds

Duration in seconds to tell the client to keep the host in a list of known HSTS hosts.

methods

Allowed HTTP methods

allowXHttpMethodOverride

Allow to send X-Http-Method-Override header

anyHost

Allow requests from any host

exposeHeader

Allow to expose header. It adds the header to Access-Control-Expose-Headers if it is not a simple response header.

exposeXHttpMethodOverride

Allow to expose X-Http-Method-Override header

header

Allow sending header

host

Allow requests from the specified domains and schemes

method

Please note that CORS operates ONLY with REAL HTTP methods and will never consider overridden methods via X-Http-Method-Override. However you can add them here if you are implementing CORS at client side from the scratch that you generally don’t need to do.

CorsDefaultHeaders

Default HTTP headers that are always allowed by CORS

CorsDefaultMethods

Default HTTP methods that are always allowed by CORS

CorsSimpleContentTypes

The allowed set of content types that are allowed by CORS without preflight check

CorsSimpleRequestHeaders

Default HTTP headers that are always allowed by CORS (simple request headers according to https://www.w3.org/TR/cors/#simple-header ) Please note that Content-Type header simplicity depends on it’s value.

CorsSimpleResponseHeaders

Default HTTP headers that are always allowed by CORS to be used in response (simple request headers according to https://www.w3.org/TR/cors/#simple-header )

maxAge

maxAgeDuration

Duration to tell the client to keep CORS options.