3. Security and Validation

cors

Version

view snapshot (current)
Cross-Origin Resource Sharing (CORS) plugin that enables secure cross-origin HTTP requests.

This plugin handles CORS preflight requests (OPTIONS method) and sets appropriate CORS headers on responses. It validates incoming requests against the configured CORS policy to ensure compliance with the same-origin policy while allowing legitimate cross-origin access.

CORS Headers Handled

  • Request Headers: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
  • Response Headers: Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers, Access-Control-Expose-Headers, Access-Control-Allow-Credentials, Access-Control-Max-Age

Safe Headers

The following headers are considered safe and don't require explicit configuration:

  • Accept
  • Accept-Language
  • Content-Language
  • Content-Type (with certain MIME type restrictions)

Security Considerations

  • When credentials="true", wildcard origins (*) are forbidden for security reasons
  • Always specify explicit origins in production when possible

Standards Compliance

This implementation follows the Fetch Living Standard by WHATWG.

see: CORS Guide for API Developers

see: MDN CORS Documentation

# Basic Configuration (Allow all origins)
 - cors: {}
 # Restrictive Configuration
 - cors:
     origins: https://example.com https://app.example.com
     methods: GET, POST, PUT
     headers: Authorization, X-Custom-Header
     credentials: true
     maxAge: 3600
 # Permissive Configuration
 - cors:
     allowAll: true
# Basic Configuration (Allow all origins)
 - cors: {}
 # Restrictive Configuration
 - cors:
     origins: https://example.com https://app.example.com
     methods: GET, POST, PUT
     headers: Authorization, X-Custom-Header
     credentials: true
     maxAge: 3600
 # Permissive Configuration
 - cors:
     allowAll: true

Syntax

cors:
  allowAll: <boolean>
  credentials: <boolean>
  exposeHeaders: <string>
  headers: <string>
  maxAge: <number>
  methods: <string>
  origins: <string>
cors:
  allowAll: <boolean>
  credentials: <boolean>
  exposeHeaders: <string>
  headers: <string>
  maxAge: <number>
  methods: <string>
  origins: <string>

Attributes

NameRequiredDefaultDescriptionExamples
allowAllfalsefalseEnables or disables the "allow all" mode for maximum permissiveness.

When enabled, all origins, methods, and headers are allowed without any validation. This bypasses all CORS security checks and should only be used in development environments.

Security Warning: This option is not compatible with credentials=true and should never be used in production environments.

credentialsfalsefalseConfigures whether credentials should be included in CORS requests.

When enabled, browsers will include cookies, authorization headers, and client certificates in cross-origin requests. This also requires the client to set withCredentials: true in their request configuration.

Security Restriction: Cannot be used with wildcard origins (*) due to security risks.

true
exposeHeadersfalse"" (expose no additional headers)Configures response headers that should be exposed to client-side JavaScript.

By default, only safe response headers are exposed to JavaScript. Use this setting to expose additional custom headers that your client-side code needs to access.

Header names are case-insensitive and will be normalized to lowercase internally.

X-Total-Count,X-Custom-Info
headersfalse"" (no additional headers beyond safe headers)Configures additional request headers allowed in CORS requests.

Safe headers (Accept, Accept-Language, Content-Language, Content-Type) are always allowed and don't need to be specified. Only non-safe headers need to be explicitly configured.

Header names are case-insensitive and will be normalized to lowercase internally.

Authorization,X-Custom-Header,X-Requested-With
maxAgefalse5 secondsConfigures the maximum age for caching preflight responses.

This value tells browsers how long they can cache the result of a preflight request before making another preflight request for the same resource.

Setting this to a higher value reduces the number of preflight requests but may delay the effect of CORS configuration changes.

3600
methodsfalse"*" (allow all methods)Configures the HTTP methods allowed for CORS requests.

Specify methods as a comma or space-separated list. Use '*' to allow all methods. Common methods include GET, POST, PUT, DELETE, PATCH.

originsfalse"*" (allow all origins)Configures the list of allowed origins for CORS requests.

Origins must be specified as complete URLs including protocol (http/https). Use '*' to allow all origins, or 'null' to allow requests with no origin header (from file).

Throws: ConfigurationException if an origin URL is malformed

Can be used in

abort api case chain components for global if interceptor internal otherwise proxy registration request response serviceProxy soapProxy stompProxy time transport wsStompReassembler