You are viewing the documentation for Blueriq 16. Documentation for other versions is available in our documentation directory.
Cross-Origin Resource Sharing (CORS) is a mechanism that allows resources on a web page to be requested from another domain outside the domain from which the first resource was served. While a web page may freely embed cross-origin images, scripts, iframes, etc. certain cross-domain requests(ex. ajax requests) are forbidden by default by the same-origin security policy. CORS defines how the browser and server must communicate when accessing sources across origins. The basic idea behind CORS is to use custom HTTP headers to allow both the browser and the server know enough about each other to determine if the request or response should succeed or fail.
By default this mechanism is disabled. The reason for this is that it can be a security risk if not configured properly and not all browsers support this feature.
Enable CORS
Property for enabling the mechanism :
blueriq.security.cors.enabled=true
If CORS is enabled and no other extra configuration added, then by default all origins, headers and method types are allowed. In order to restrict the CORS access refer to the next paragraphs.
If Cross-Origin Resource Sharing is enabled, and a cross origin request was made, the cookies, authorisation headers and/or TLS client certificates are exposed to the web application as well.
Configure allowed origins
When a request is made to the server, the browsers adds the "Origin" header, example:
Origin: https://blueriq.com
If the server decides that the request should be allowed, it sends a "Access-Control-Allow-Origin" header echoing back the same origin that was sent or "*" if it's a public resource. If this header is missing,or the origins don't match, then the browser blocks the request.
In order to specify the allowed origins the property "blueriq.security.cors.allowed-origins" needs to be added in the application.properties
, followed by a comma separated list of origins.
Example:
blueriq.security.cors.allowed-origins=https://blueriq.com, https://my-custom-domain.nl
Configure allowed headers
As for allowed origins, the server can be configured to allow only some types of headers.
In order to specify the allowed headers, the property "blueriq.security.cors.allowed-headers" needs to be added in the application.properties
, followed by a comma separated list of allowed headers.
Example:
blueriq.security.cors.allowed-headers=header1, header2, header3
Make sure to add all headers that are sent by the web application. If at least one header is not specified in the property and the web application sends it, then the browser will block the request.
Configure allowed methods
If only some methods must be allowed when a cross origin request is made, it can be specified in the application.properties
using the property "blueriq.security.cors.allowed-methods"
Example:
blueriq.security.cors.allowed-methods=GET, POST, PUT