Overview
CORS (Cross-Origin Resource Sharing) is a security feature in web browsers that permits controlled and safe cross-origin requests between websites.
Introduction¶
CORS is implemented in web browsers to control and manage how web pages from one domain can interact with resources hosted on another domain.
When a web page loaded from one origin (domain) tries to make a request to a different origin, the browser enforces the same-origin policy by default, which prevents most cross-origin requests.
However, there are valid scenarios where cross-origin communication is necessary, such as fetching data from APIs or loading resources like fonts and scripts from other domains.
CORS allows server owners to specify which origins are permitted to access their resources through HTTP headers.
CORS and Traefik Hub¶
By default, Traefik Hub ships with a couple of default CORS policies to allow users to try out API requests in the API Portal.
If you don't set up custom CORS configuration for your APIs, Traefik Hub will automatically apply these.
Please check the default CORS policies below!
Default CORS policies¶
Traefik Hub applies the following default CORS settings when you don't set custom ones:
| Header | Description | More info | Default |
|---|---|---|---|
Access-Control-Allow-Credentials |
When set to true, the header tells browsers to expose the response to the frontend JavaScript code. Credentials are cookies, authorization headers, or TLS client certificates. | Docs on MDN | True |
Access-Control-Allow-Origin |
The header is used by servers to inform clients with respect to whether they can share the HTTP response via HTTP requests with another origin. | Docs on MDN | * |
Access-Control-Allow-Headers |
The header indicates which HTTP headers can be used during the actual HTTP request. | Docs on MDN | * |
HTTP methods |
The header indicates what HTTP methods are allowed when accessing resources during a preflight request. | Docs on MDN | GET, HEAD, POST, PUT, PATCH, DELETE, CONNECT, OPTIONS, TRACE |
Allow credentials and wildcards
According to the CORS specification, you are not allowed to use wildcards and credentials at the same time.
Be cautious
For example, if you tighten the settings for Access-Control-Allow-Origin, make sure to allow the Portal Domain, otherwise, the try-out function will not work anymore.