cors gives you easy control over Cross Origin Resource Sharing for your site.
It allows you to whitelist particular domains per route, or to simply allow all domains * If desired you may customize nearly every aspect of the specification.
cors [path] [domains...] {
origin [origin]
origin_regexp [regexp]
methods [methods]
allow_credentials [allowCredentials]
max_age [maxAge]
allowed_headers [allowedHeaders]
exposed_headers [exposedHeaders]
}
- path is the file or directory this applies to (default is /).
- domains is a space-seperated list of domains to allow. If ommitted, all domains will be granted access.
- origin is a domain to grant access to. May be specified multiple times or ommitted.
- origin_regexp is a regexp that will be matched to the
Originheader. Access will be granted accordingly. It can be used in conjonction with theoriginconfig (executed as a fallback toorigin). May be specified multiple times or ommitted. - methods is set of http methods to allow. Default is these: POST,GET,OPTIONS,PUT,DELETE.
- allow_credentials sets the value of the Access-Control-Allow-Credentials header. Can be true or false. By default, header will not be included.
- max_age is the length of time in seconds to cache preflight info. Not set by default.
- allowed_headers is a comma-seperated list of request headers a client may send.
- exposed_headers is a comma-seperated list of response headers a client may access.
Simply allow all domains to request any path:
cors
Protect specific paths only, and only allow a few domains:
cors /foo http://mysite.com http://anothertrustedsite.com
Full configuration:
cors / {
origin http://allowedSite.com
origin http://anotherSite.org https://anotherSite.org
origin_regexp .+\.example\.com$
methods POST,PUT
allow_credentials false
max_age 3600
allowed_headers X-Custom-Header,X-Foobar
exposed_headers X-Something-Special,SomethingElse
}