Skip to content


CORS (Cross-Origin Resource Sharing) is a security feature in web browsers that permits controlled and safe cross-origin requests between websites.

CORS diagram


CORS is implemented in web browsers to control and manage how web pages from one domain can interact with resources hosted on another domain.

When a web page loaded from one origin (domain) tries to make a request to a different origin, the browser enforces the same-origin policy by default, which prevents most cross-origin requests.
However, there are valid scenarios where cross-origin communication is necessary, such as fetching data from APIs or loading resources like fonts and scripts from other domains.

CORS allows server owners to specify which origins are permitted to access their resources through HTTP headers.

CORS and Traefik Hub

By default, Traefik Hub ships with a couple of default CORS policies to allow users to try out API requests in the API Portal.

CORS diagram

If you don't set up custom CORS configuration for your APIs, Traefik Hub will automatically apply these.

Please check the default CORS policies below!

Default CORS policies

Traefik Hub applies the following default CORS settings when you don't set custom ones:

Header Description More info Default
Access-Control-Allow-Credentials When set to true, the header tells browsers to expose the response to the frontend JavaScript code. Credentials are cookies, authorization headers, or TLS client certificates. Docs on MDN True
Access-Control-Allow-Origin The header is used by servers to inform clients with respect to whether they can share the HTTP response via HTTP requests with another origin. Docs on MDN *
Access-Control-Allow-Headers The header indicates which HTTP headers can be used during the actual HTTP request. Docs on MDN *
HTTP methods The header indicates what HTTP methods are allowed when accessing resources during a preflight request. Docs on MDN GET, HEAD, POST, PUT, PATCH, DELETE, CONNECT, OPTIONS, TRACE

Allow credentials and wildcards

According to the CORS specification, you are not allowed to use wildcards and credentials at the same time.

Be cautious

For example, if you tighten the settings for Access-Control-Allow-Origin, make sure to allow the Portal Domain, otherwise, the try-out function will not work anymore.

What's next

  • Learn how to adjust CORS policies using CRDs (Custom Resource Definitions)
  • Learn how to adjust CORS policies through the UI