Configuring CORS (Cross-Origin Resource Sharing) for Content Delivery microservices
By default, CORS (Cross-Origin Resource Sharing, also called Cross-Site Resource Sharing) is enabled for Content Delivery microservices, but with wide settings. If you explicitly set cors.enabled to false (or remove the property altogether), any CORS-related settings are ignored. You can also make the feature narrower by enabling CORS for specific URLs.
About this task
To configure CORS for a microservice, resolve a number of properties in its application.properties file.
Procedure
- To configure CORS for any Content Delivery microservice, configure the following environmental parameters:
- Constraints enabled
- Property name:
cors.constraints.enabled - Environment variable name:
PREFIXcorsconstraintsenabled - Default value:
false - Description: Set to
trueto enable and configure CORS. If this property is set tofalse, all other properties are ignored. - Mappings
- Property name:
cors.mappings - Environment variable name:
PREFIXcorsmappings - Default value:
/** - Description: A path pattern that describes which requests should be protected. Refer to this external webpage for details.
- Methods
- Property name:
cors.methods - Environment variable name:
PREFIXcorsmethods - Default value:
HEAD GET PUT PATCH DELETE POST - Description: The HTTP methods (verb) that you want to allow.
- Origins
- Property name:
cors.origins - Environment variable name:
PREFIXcorsorigins - Default value:
http://localhost:8080/ - Description: A list of services that communicate with this one, separated by a space.
- Headers
- Property name:
cors.headers - Environment variable name:
PREFIXcorsheaders - Default value:
* - Description: The HTTP headers you want to allow, separated by a space. For example,
Access-Control-Allow-Origin Content-Type - Allow credentials
- Property name:
cors.allowCredentials - Environment variable name:
PREFIXcorsallowcredentials - Default value: (none)
- Description: Whether to allow credentials. Defaults to
falseif not specified. - Exposed headers
- Property name:
cors.exposedHeaders - Environment variable name:
PREFIXcorsexposedheaders - Default value:
* Authorization - Description: The exposed HTTP headers.
- Maximum age
- Property name:
cors.maxAge - Environment variable name:
PREFIXcorsmaxage - Default value: 1800000
- Description: The live time for authorization headers in milliseconds. The default value amounts to 30 minutes.
In the environment variable names, PREFIX is a prefix to identify this specific microservice, such as
discoveryfor the Discovery Service,contentfor the Content Service, ordeployerfor the Content Deployer. The reason why every application.properties file has its own set of service-specific environment variable names is to allow you to run multiple services on the same machine and allow CORS only on some of those services. - Run the microservice installation script.
- Verify that CORS is indeed working, in one of the following ways:
- Verifying CORS without Curl
-
If you don't want to use Curl to verify your CORS configuration, run your web application on a different machine than the Content Service or Discovery Service, and try to make a connection to those services. Only a URL listed in
cors.originswill be allowed. Any other URL will yield an error message like this one:Access to fetch at 'http://233.252.0.66:8081/cd/api' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled. - Verifying CORS with Curl
-
Run the following command:
curl -H "Access-Control-Request-Method: POST" -H "Origin: http://localhost:8081" --head http://233.252.0.66:8081/content.svc -X OPTIONS --verbose -H "Access-Control-Request-Headers: X-Test-Header"which has the following parameters:-H "Access-Control-Request-Method: POST"-
One of the methods specified in the
cors.methodsproperty as allowed -H "Origin: http://localhost:8080"-
An origin of the request, specified in the
cors.originsproperty, say from a website running on localhost:8080 --head http://233.252.0.66:8081/content.svc-
The server and service that we'd like to query (in this example, the Content Service) using the Curl request from the origin
http://localhost:8080. -X OPTIONS- A constant to make a preflight request, as needed to test CORS.
-H "Access-Control-Request-Headers: X-Test-Header"-
One of the headers that is allowed as specified in the
cors.headersparameter.