3. Security and Validation

cors

Cross-Origin Resource Sharing (CORS) plugin that enables secure cross-origin HTTP requests.

This plugin handles CORS preflight requests (OPTIONS method) and sets appropriate CORS headers on responses. It validates incoming requests against the configured CORS policy to ensure compliance with the same-origin policy while allowing legitimate cross-origin access.

CORS Headers Handled

Safe Headers

The following headers are considered safe and don't require explicit configuration:

Configuration Examples

Basic Configuration (Allow all origins):

{@code
 <cors />
 }

Restrictive Configuration:

{@code
 <cors
   origins="https://example.com https://app.example.com"
   methods="GET,POST,PUT"
   headers="Authorization,X-Custom-Header"
   credentials="true"
   maxAge="3600" />
 }

Permissive Configuration:

{@code
 <cors allowAll="true" />
 }

Security Considerations

Standards Compliance

This implementation follows the Fetch Living Standard by WHATWG.


Can be used in:

serviceProxy, api, global, chainDef, for, stompProxy, if, registration, wsStompReassembler, internal, interceptor, chain, bean, transport and soapProxy

Attributes

NameRequiredDefaultDescriptionExample
headers false "" (no additional headers beyond safe headers)
 Configures additional request headers allowed in CORS requests.

Safe headers (Accept, Accept-Language, Content-Language, Content-Type) are always allowed and don't need to be specified. Only non-safe headers need to be explicitly configured.

Header names are case-insensitive and will be normalized to lowercase internally.


 
{@code
 
 }
exposeHeaders false "" (expose no additional headers)
 Configures response headers that should be exposed to client-side JavaScript.

By default, only safe response headers are exposed to JavaScript. Use this setting to expose additional custom headers that your client-side code needs to access.

Header names are case-insensitive and will be normalized to lowercase internally.


 
{@code
 
 }
credentials false false
 Configures whether credentials should be included in CORS requests.

When enabled, browsers will include cookies, authorization headers, and client certificates in cross-origin requests. This also requires the client to set {@code withCredentials: true} in their request configuration.

Security Restriction: Cannot be used with wildcard origins (*) due to security risks.


 
{@code
 
 }
maxAge false 5 seconds
 Configures the maximum age for caching preflight responses.

This value tells browsers how long they can cache the result of a preflight request before making another preflight request for the same resource.

Setting this to a higher value reduces the number of preflight requests but may delay the effect of CORS configuration changes.


 
{@code
 
 }
methods false "*" (allow all methods)
 Configures the HTTP methods allowed for CORS requests.

Specify methods as a comma or space-separated list. Use '*' to allow all methods. Common methods include GET, POST, PUT, DELETE, PATCH.


 
{@code
 
 }
allowAll false false
 Enables or disables the "allow all" mode for maximum permissiveness.

When enabled, all origins, methods, and headers are allowed without any validation. This bypasses all CORS security checks and should only be used in development environments.

Security Warning: This option is not compatible with credentials=true and should never be used in production environments.


 
{@code
 
 }
origins false "*" (allow all origins)
 Configures the list of allowed origins for CORS requests.

Origins must be specified as complete URLs including protocol (http/https). Use '*' to allow all origins, or 'null' to allow requests with no origin header (from file).


 
{@code
 
 }