CORS

The cors block configures the CORS (Cross-Origin Resource Sharing) behavior in Couper.

Block name	Context	Label
`cors`	Server Block, Files Block, SPA Block, API Block.	no label

Note: Access-Control-Allow-Methods is only sent in response to a CORS preflight request, if the method requested by Access-Control-Request-Method is an allowed method (see the allowed_method attribute for api or endpoint blocks).

Attribute `allowed_origins`

Can be either of: a string with a single specific origin, "*" (all origins are allowed) or an array of specific origins.

Example:

allowed_origins = ["https://www.example.com", "https://www.another.host.org"]

Attributes

Name	Type	Default	Description
`allow_credentials`	bool	`false`	Set to `true` if the response can be shared with credentialed requests (containing `Cookie` or `Authorization` HTTP header fields).
`allowed_origins`	object	-	An allowed origin or a list of allowed origins.
`disable`	bool	`false`	Set to `true` to disable the inheritance of CORS from parent context.
`max_age`	duration	-	Indicates the time the information provided by the `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` response HTTP header fields.

Duration

Values of type duration are provided as number string followed by a unit listed below.

Example: timeout = "300s"

Duration units	Description
`ns`	nanoseconds
`us` (or `µs`)	microseconds
`ms`	milliseconds
`s`	seconds
`m`	minutes
`h`	hours

< Client Certificate

Defaults >

CORS

Attribute allowed_origins

Attributes

Duration

Attribute `allowed_origins`