Security Features
Last updated:
Cross-Origin Resource Sharing (CORS)
CORS (Cross-Origin Resource Sharing) is a security feature that controls how web pages from one domain (origin) can make requests to resources hosted on a different domain. With Tyk Gateway, it is possible to enable and configure CORS per-API so that users can make browser-based requests.
The CORS
section is added to an API definition as listed in the examples below for Tyk Gateway and Tyk Operator.
Examples
"CORS": {
"enable": true,
"allowed_origins": [
"http://foo.com"
],
"allowed_methods": [],
"allowed_headers": [],
"exposed_headers": [],
"allow_credentials": false,
"max_age": 24,
"options_passthrough": false,
"debug": false
}
|
|
Configuration
The CORS middleware has the following options:
-
CORS.allowed_origins
: A list of origin domains to allow access from. Wildcards are also supported, e.g.http://*.foo.com
. Default value is["*"]
-
CORS.allowed_methods
: A list of methods to allow access via. Default value is["GET", "POST", "HEAD"]
-
CORS.allowed_headers
: A list of headers that are allowed within a request. Default value is["Origin", "Accept", "Content-Type", "X-Requested-With"]
-
CORS.exposed_headers
: A list of headers that are exposed back in the response. -
CORS.allow_credentials
: Whether credentials (cookies) should be allowed. -
CORS.max_age
: Maximum age of credentials. -
CORS.options_passthrough
: allow CORS OPTIONS preflight request to be proxied directly to upstream, without authentication and rest of checks. This means that pre-flight requests generated by web-clients such as SwaggerUI or the Tyk Portal documentation system will be able to test the API using trial keys. If your service handles CORS natively, then enable this option. -
debug
: If set totrue
, this option produces log files for the CORS middleware.