CORS (Cross-Origin Resource Sharing)

Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to let a user agent gain permission to access selected resources from a server on a different origin (domain) than the site currently in use. Read more.

Since v0.10 aah framework provides easy to use and flexible way for configure CORS for domain level as well as each route level. Also CORS could be disabled at each route level.

To enable CORS place following config at each domain configuration:

cors {
  enable = true
}


CORS configuration live in routes.conf. Has two parts and config attributes are more or less same.

Domain Level

Configure CORS values for each domain/sub-domain in the routes.conf. Learn more about each attribute.

cors {
  enable = true
  allow_origins = ["https://www.example.com", "http://sample.com"]
  allow_headers = ["Accept", "Authorization", "Content-Type", "Origin"]
  allow_methods = ["GET", "POST", "HEAD"]
  expose_headers = ["X-Custom-Header"]
  max_age = "48h"
  allow_credentials = true
}

Route Level

Configure CORS values for each routes in the domain. Undefined config attribute values are inherited from domain level OR Parent route config. Learn more about each attribute.

Section: cors { … }

The following config attributes applicable to domain level as well as route level.

enable

Used to enable/disable CORS for domain/route.

Default value is false - for domain level.
Default value is true - for route level.

enable = true

allow_origins

Used to specify value for Access-Control-Allow-Origin header.

Default value is * - for domain level.
Default value for route level - Inherited from parent route/domain.

allow_origins = ["*"]

allow_headers

Used to specify value for Access-Control-Allow-Headers header.

Default values are Accept, AcceptLanguage, Authorization, Origin - for domain level.
Default value for route level - Inherited from parent route/domain.

allow_headers = [
  "Accept",
  "Authorization",
  "Content-Type",
  "Origin",
  "X-Custom-Header"
]

allow_methods

Used to specify value for Access-Control-Allow-Methods header.

Default values are GET, POST, HEAD - for domain level.
Default value for route level - Inherited from parent route/domain.

allow_methods = ["GET", "POST", "HEAD", "PUT", "DELETE"]

expose_headers

Used to specify value for Access-Control-Expose-Headers header.

Default value - cors.allow_headers values are used if not provided - for domain level.
Default value for route level - Inherited from parent route/domain.

expose_headers = ["X-Custom-Header"]

max_age

Used to specify value for Access-Control-Max-Age header.

Default value is 24h - for domain level.
Default value for route level - Inherited from parent route/domain.

max_age = "48h"

allow_credentials

Used to specify value for Access-Control-Allow-Credentials header.

Default value is false - for domain level.
Default value for route level - Inherited from parent route/domain.

allow_credentials = true