> ## Documentation Index
> Fetch the complete documentation index at: https://tyk.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Features

> Guide on API management and security best practices, including authentication, authorization, resource protection, governance, and OWASP threat mitigation with Tyk.

## Cross-Origin Resource Sharing (CORS)

CORS (Cross-Origin Resource Sharing) is a security feature that controls how web pages from one domain (origin) can make requests to resources hosted on a different domain. With Tyk Gateway, it is possible to enable and configure CORS per-API so that users can make browser-based requests.

The `CORS` section is added to an API definition as listed in the examples below for Tyk Gateway and Tyk Operator.

### Examples

<Tabs>
  <Tab title="Tyk Classic API Definition">
    ```json theme={null}
    "CORS": {
      "enable": true,
      "allowed_origins": [
        "http://foo.com"
      ],
      "allowed_methods": [],
      "allowed_headers": [],
      "exposed_headers": [],
      "allow_credentials": false,
      "max_age": 24,
      "options_passthrough": false,
      "debug": false
    }
    ```
  </Tab>

  <Tab title="Tyk Operator API Definition">
    ```yaml {linenos=true, linenostart=1, hl_lines=["14-24"]} theme={null}
    apiVersion: tyk.tyk.io/v1alpha1
    kind: ApiDefinition
    metadata:
      name: httpbin-cors-sample
    spec:
      name: httpbin-cors-sample
      use_keyless: true
      protocol: http
      active: true
      proxy:
        target_url: http://httpbin.org
        listen_path: /cors
        strip_listen_path: true
      CORS:
        enable: true
        allowed_origins:
          - "http://foo.com"
        allowed_methods: null
        allowed_headers: null
        exposed_headers: null
        allow_credentials: false
        max_age: 24
        options_passthrough: false
        debug: false
    ```
  </Tab>
</Tabs>

***

### Configuration

The CORS middleware has the following options:

* `CORS.allowed_origins`: A list of origin domains to allow access from. Wildcards are also supported, e.g. `http://*.foo.com`. Default value is `["*"]`

* `CORS.allowed_methods`: A list of methods to allow access via. Default value is `["GET", "POST", "HEAD"]`

* `CORS.allowed_headers`: A list of headers that are allowed within a request. Default value is `["Origin", "Accept", "Content-Type", "X-Requested-With"]`

* `CORS.exposed_headers`: A list of headers that are exposed back in the response.

* `CORS.allow_credentials`: Whether credentials (cookies) should be allowed.

* `CORS.max_age`: Maximum age of credentials.

* `CORS.options_passthrough`: allow CORS OPTIONS preflight request to be proxied directly to upstream, without authentication and rest of checks. This means that pre-flight requests generated by web-clients such as SwaggerUI or
  the Tyk Portal documentation system will be able to test the API using trial keys. If your service handles CORS natively, then enable this option.

* `debug`: If set to `true`, this option produces log files for the CORS middleware.