...

If CORS is enabled and no other extra configuration added, then by default all originorigins, headers and method types are allowed. In order to restrict the CORS access refer to the next paragraphs.

Specify allowed origins

When a request is made to the server, the browsers adds the "Origin" header, example:

Origin: https://blueriq.com

If the server decides that the request should be allowed, it sends a "Access-Control-Allow-Origin" header echoing back the same origin that was sent or "*" if it's a public resource. If this header is missing,or the origins don't match, then the browser disallows the request.

In order to specified the allowed origins add the property "blueriq.security.cors.allowed-origins" in the properties file, followed by a comma separated list of origins.

Example:

blueriq.security.cors.allowed-origins=https://blueriq.com, https://my-custom-domain.nl

Specify allowed headers

As for allowed origins, the server can be configured to allow only some types of headers.

In order to specify the allowed headers, add the property "blueriq.security.cors.allowed-headers" in the properties file, followed by a comma separated list of allowed headers.

Example:

blueriq.security.cors.allowed-headers=header1, header2, header3

Specify allowed methods

If only some headers must be allowed when a cross origin request is made, it can be specified in the properties file using the property "blueriq.security.cors.allowed-methods"

Example:

blueriq.security.cors.allowed-methods=GET, POST, PUT

Credentials requests

If Cross-Origin resource sharing is enabled, and a cross origin request was made, the cookies, authorization headers and/or TLS client certificates are exposed to the web application as well.