Security Features

Last updated:

Cross-Origin Resource Sharing (CORS)

CORS (Cross-Origin Resource Sharing) is a security feature that controls how web pages from one domain (origin) can make requests to resources hosted on a different domain. With Tyk Gateway, it is possible to enable and configure CORS per-API so that users can make browser-based requests.

The CORS section is added to an API definition as listed in the examples below for Tyk Gateway and Tyk Operator.

Examples

"CORS": {
  "enable": true,
  "allowed_origins": [
    "http://foo.com"
  ],
  "allowed_methods": [],
  "allowed_headers": [],
  "exposed_headers": [],
  "allow_credentials": false,
  "max_age": 24,
  "options_passthrough": false,
  "debug": false
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
  name: httpbin-cors-sample
spec:
  name: httpbin-cors-sample
  use_keyless: true
  protocol: http
  active: true
  proxy:
    target_url: http://httpbin.org
    listen_path: /cors
    strip_listen_path: true
  CORS:
    enable: true
    allowed_origins:
      - "http://foo.com"
    allowed_methods: null
    allowed_headers: null
    exposed_headers: null
    allow_credentials: false
    max_age: 24
    options_passthrough: false
    debug: false


Configuration

The CORS middleware has the following options:

  • CORS.allowed_origins: A list of origin domains to allow access from. Wildcards are also supported, e.g. http://*.foo.com. Default value is ["*"]

  • CORS.allowed_methods: A list of methods to allow access via. Default value is ["GET", "POST", "HEAD"]

  • CORS.allowed_headers: A list of headers that are allowed within a request. Default value is ["Origin", "Accept", "Content-Type", "X-Requested-With"]

  • CORS.exposed_headers: A list of headers that are exposed back in the response.

  • CORS.allow_credentials: Whether credentials (cookies) should be allowed.

  • CORS.max_age: Maximum age of credentials.

  • CORS.options_passthrough: allow CORS OPTIONS preflight request to be proxied directly to upstream, without authentication and rest of checks. This means that pre-flight requests generated by web-clients such as SwaggerUI or the Tyk Portal documentation system will be able to test the API using trial keys. If your service handles CORS natively, then enable this option.

  • debug: If set to true, this option produces log files for the CORS middleware.