Documentation Center

Configuring CORS (Cross-Origin Resource Sharing) for Content Delivery microservices

By default, CORS (Cross-Origin Resource Sharing, also called Cross-Site Resource Sharing) is enabled for Content Delivery microservices, but with wide settings. If you explicitly set cors.enabled to false (or remove the property altogether), any CORS-related settings are ignored. You can also make the feature narrower by enabling CORS for specific URLs.

About this task

To configure CORS for a microservice, resolve a number of properties in its application.properties file.

Procedure

  1. To configure CORS for any Content Delivery microservice, configure the following environmental parameters:
    Constraints enabled
    Property name: cors.constraints.enabled
    Environment variable name: PREFIXcorsconstraintsenabled
    Default value: false
    Description: Set to true to enable and configure CORS. If this property is set to false, all other properties are ignored.
    Mappings
    Property name: cors.mappings
    Environment variable name: PREFIXcorsmappings
    Default value: /**
    Description: A path pattern that describes which requests should be protected. Refer to this external webpage for details.
    Methods
    Property name: cors.methods
    Environment variable name: PREFIXcorsmethods
    Default value: HEAD GET PUT PATCH DELETE POST
    Description: The HTTP methods (verb) that you want to allow.
    Origins
    Property name: cors.origins
    Environment variable name: PREFIXcorsorigins
    Default value: http://localhost:8080/
    Description: A list of services that communicate with this one, separated by a space.
    Headers
    Property name: cors.headers
    Environment variable name: PREFIXcorsheaders
    Default value: *
    Description: The HTTP headers you want to allow, separated by a space. For example, Access-Control-Allow-Origin Content-Type
    Allow credentials
    Property name: cors.allowCredentials
    Environment variable name: PREFIXcorsallowcredentials
    Default value: (none)
    Description: Whether to allow credentials. Defaults to false if not specified.
    Exposed headers
    Property name: cors.exposedHeaders
    Environment variable name: PREFIXcorsexposedheaders
    Default value: * Authorization
    Description: The exposed HTTP headers.
    Maximum age
    Property name: cors.maxAge
    Environment variable name: PREFIXcorsmaxage
    Default value: 1800000
    Description: The live time for authorization headers in milliseconds. The default value amounts to 30 minutes.

    In the environment variable names, PREFIX is a prefix to identify this specific microservice, such as discovery for the Discovery Service, content for the Content Service, or deployer for the Content Deployer. The reason why every application.properties file has its own set of service-specific environment variable names is to allow you to run multiple services on the same machine and allow CORS only on some of those services.

  2. Run the microservice installation script.
  3. Verify that CORS is indeed working, in one of the following ways:
    Verifying CORS without Curl
    If you don't want to use Curl to verify your CORS configuration, run your web application on a different machine than the Content Service or Discovery Service, and try to make a connection to those services. Only a URL listed in cors.origins will be allowed. Any other URL will yield an error message like this one: Access to fetch at 'http://233.252.0.66:8081/cd/api' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
    Verifying CORS with Curl
    Run the following command: curl -H "Access-Control-Request-Method: POST" -H "Origin: http://localhost:8081" --head http://233.252.0.66:8081/content.svc -X OPTIONS --verbose -H "Access-Control-Request-Headers: X-Test-Header" which has the following parameters:
    -H "Access-Control-Request-Method: POST"
    One of the methods specified in the cors.methods property as allowed
    -H "Origin: http://localhost:8080"
    An origin of the request, specified in the cors.origins property, say from a website running on localhost:8080
    --head http://233.252.0.66:8081/content.svc
    The server and service that we'd like to query (in this example, the Content Service) using the Curl request from the origin http://localhost:8080.
    -X OPTIONS
    A constant to make a preflight request, as needed to test CORS.
    -H "Access-Control-Request-Headers: X-Test-Header"
    One of the headers that is allowed as specified in the cors.headers parameter.