CORS Plugin
The CORS plugin handles Cross-Origin Resource Sharing for your API domains, allowing you to specify exactly which origins, methods, and headers are permitted to access your services.
⚙️ Configuration
The plugin is typically enabled for a full domain to manage all its endpoints.
- urn: "urn:crate:plugin:cors"
name: "global-cors"
type: "request_filter"
active: true
config:
allowed_origins: ["https://myapp.com", "https://staging.myapp.com"]
allowed_methods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"]
allowed_headers: ["Content-Type", "Authorization", "X-API-Key"]
allow_credentials: true
max_age: 3600
Field Definitions
| Field | Type | Description |
|---|---|---|
allowed_origins |
[]string | List of origins that are permitted to access the resource. Use * to allow any origin (not recommended for production). |
allowed_methods |
[]string | List of HTTP methods that are permitted. |
allowed_headers |
[]string | List of HTTP headers that can be used. |
allow_credentials |
boolean | Set to true to allow cookies and authentication headers. |
max_age |
int | How long (in seconds) the results of a preflight request can be cached. |
🚀 Examples
1. Simple API Setup
config:
allowed_origins: ["*"]
allowed_methods: ["GET", "POST"]
2. Secure Web App Integration
config:
allowed_origins: ["https://app.myapp.com"]
allowed_methods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"]
allowed_headers: ["Content-Type", "Authorization"]
allow_credentials: true