Cross-Origin Resource Sharing (CORS)

CORS (Cross-Origin Resource Sharing) is a security feature that controls how web pages from one domain (origin) can make requests to resources hosted on a different domain. With Tyk Gateway, it is possible to enable and configure CORS per-API so that users can make browser-based requests. The CORS section is added to an API definition as listed in the examples below for Tyk Gateway and Tyk Operator.

Examples

"CORS": {
  "enable": true,
  "allowed_origins": [
    "http://foo.com"
  ],
  "allowed_methods": [],
  "allowed_headers": [],
  "exposed_headers": [],
  "allow_credentials": false,
  "max_age": 24,
  "options_passthrough": false,
  "debug": false
}

Configuration

The CORS middleware has the following options:
  • CORS.allowed_origins: A list of origin domains to allow access from. Wildcards are also supported, e.g. http://*.foo.com. Default value is ["*"]
  • CORS.allowed_methods: A list of methods to allow access via. Default value is ["GET", "POST", "HEAD"]
  • CORS.allowed_headers: A list of headers that are allowed within a request. Default value is ["Origin", "Accept", "Content-Type", "X-Requested-With"]
  • CORS.exposed_headers: A list of headers that are exposed back in the response.
  • CORS.allow_credentials: Whether credentials (cookies) should be allowed.
  • CORS.max_age: Maximum age of credentials.
  • CORS.options_passthrough: allow CORS OPTIONS preflight request to be proxied directly to upstream, without authentication and rest of checks. This means that pre-flight requests generated by web-clients such as SwaggerUI or the Tyk Portal documentation system will be able to test the API using trial keys. If your service handles CORS natively, then enable this option.
  • debug: If set to true, this option produces log files for the CORS middleware.