Page History
...
If CORS is enabled and no other extra configuration added, then by default all originorigins, headers and method types are allowed. In order to restrict the CORS access refer to the next paragraphs.
Specify allowed origins
When a request is made to the server, the browsers adds the "Origin" header, example:
Code Block |
---|
Origin: https://blueriq.com |
If the server decides that the request should be allowed, it sends a "Access-Control-Allow-Origin" header echoing back the same origin that was sent or "*" if it's a public resource. If this header is missing,or the origins don't match, then the browser disallows the request.
In order to specified the allowed origins add the property "blueriq.security.cors.allowed-origins" in the properties file, followed by a comma separated list of origins.
Example:
Code Block |
---|
blueriq.security.cors.allowed-origins=https://blueriq.com, https://my-custom-domain.nl |
Specify allowed headers
As for allowed origins, the server can be configured to allow only some types of headers.
In order to specify the allowed headers, add the property "blueriq.security.cors.allowed-headers" in the properties file, followed by a comma separated list of allowed headers.
Example:
Code Block |
---|
blueriq.security.cors.allowed-headers=header1, header2, header3 |
Note |
---|
Make sure to add all headers that are used by the webapplication If at least one headers is not specified in the property and the webapplication sends it, then the browser will block the request |
Specify allowed methods
If only some headers must be allowed when a cross origin request is made, it can be specified in the properties file using the property "blueriq.security.cors.allowed-methods"
Example:
Code Block |
---|
blueriq.security.cors.allowed-methods=GET, POST, PUT |
Credentials requests
If Cross-Origin resource sharing is enabled, and a cross origin request was made, the cookies, authorization headers and/or TLS client certificates are exposed to the web application as well.