Skip to main content

Parameters

See plugin common configurations for configuration options available to all plugins.

  • allow_origins

    string


    default: *


    Comma-separated string of origins to allow CORS.

    If allow_credential is set to true, you can forcefully allow CORS on all origins by configuring the field to ** but sensitive data, such as authentication tokens or cookies, can get exposed to any malicious website.

    You can also configure allow origins on a global scale using the plugin metadata, which configures the allow origins for all cors plugin instances. See the example for more details.

  • allow_methods

    string


    default: *


    Comma-separated string of HTTP request methods to allow CORS.

    If allow_credential is set to true, you can forcefully allow CORS on all methods by configuring the field to **, but a malicious actor can use HTTP methods, such as PUT or DELETE, to make unexpected modifications to shared resource and pose a security threat.

  • allow_headers

    string


    default: *


    Comma-separated string of HTTP headers allowed in requests.

    If allow_credential is set to true, you can forcefully allow CORS on all request headers by configuring the field to **, but it can potentially allow malicious headers to be sent to the server.

  • expose_headers

    string


    default: *


    Comma-separated string of HTTP headers that should be made available in response to a cross-origin request.

    If allow_credential is set to true, you can forcefully allow CORS on all response headers by configuring the field to **.

  • max_age

    integer


    default: 5


    Maximum time in seconds for which the results of a preflight request can be cached. If the time is within this limit, the browser will check the cached result. To disable caching, set max_age to -1.

    Note that the maximum value allowed is browser-dependent. See Access-Control-Max-Age for more details.

  • allow_credential

    boolean


    default: false


    If true, allow requests to include credentials, such as cookies. According to CORS specification, when allow_credentials is set to true, you cannot use * for other CORS attributes.

    To allow all origins, set the field to **. This can potentially allow sensitive user data, such as authentication tokens or cookies, to be exposed to malicious actors.

  • allow_origins_by_regex

    array[string]


    RegEx to match origins that allow CORS. When configured, only domains in this range will be allowed and any configuration in allow_origins will be ignored.

    For example, ['.*\.test.com$'] can match all subdomains of test.com.

  • allow_origins_by_metadata

    array[string]


    Origins to enable CORS referenced from allow_origins set in the plugin metadata. For example, if allow_origins: {'EXAMPLE': 'https://example.com'} is set in the plugin metadata, then ['EXAMPLE'] can be used to allow CORS on the origin https://example.com.

  • timing_allow_origins

    string


    Comma-separated string of origins to allow to access the resource timing information. See Timing-Allow-Origin for more details.

  • timing_allow_origins_by_regex

    array[string]


    RegEx to match with origin for enabling access to the resource timing information. When configured, only domains matching the RegEx will be allowed and any configuration in timing_allow_origins will be ignored.

    For example, ['.*\.test.com'] can match all subdomain of test.com.


API7.ai Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.

Product

API7 Cloud

SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN PTE. LTD 2019 – 2025. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation