http-cors #
Support Cross-Origin Resource Sharing (CORS) in Nginx.
Source: upstream source
Directives
cors #
syntax: cors on | off; · default: cors off; · context: http, server, location
Master switch to enable CORS processing. When enabled, the module intercepts OPTIONS requests (preflight) and adds CORS headers to all responses that match the configured policies. ---
cors_allow_credentials #
syntax: cors_allow_credentials on | off; · default: cors_allow_credentials off; · context: http, server, location
Enables Access-Control-Allow-Credentials: true, allowing requests to include credentials (cookies, HTTP authentication, client certificates). ---
cors_allow_headers #
syntax: cors_allow_headers \* | \*\* | header ...; · default: \*; · context: http, server, location
Specifies which request headers are allowed for cross-origin requests. Supports three modes: The following safelisted headers are always allowed and will be silently skipped if you include them in the configuration: Accept, Accept-Language, Content-Language, Content-Type, Range. ---
cors_allow_methods #
syntax: cors_allow_methods \* | \*\* | method ...; · default: \*; · context: http, server, location
Specifies which HTTP methods are allowed for cross-origin requests. Supports three modes: Method names are case-sensitive and must be uppercase (GET, POST, PUT, DELETE, HEAD, OPTIONS, PATCH, etc.). ---
cors_allow_origins #
syntax: cors_allow_origins \* | \*\* | origin ...; · default: cors_allow_origins \*; · context: http, server, location
Specifies which origins are allowed to access the resource. Supports three modes: Origins can be specified as exact strings or, if PCRE support is compiled into Nginx, as regex patterns prefixed with ~: ---
cors_bypass #
syntax: cors_bypass variable ...; · default: — · context: http, server, location
Defines conditions under which CORS processing is skipped. Accepts one or more Nginx variables. If any variable evaluates to a non-empty, non-zero value (i.e., not "" and not "0"), CORS header injection and preflight handling are bypassed for that request. Examples: When omitted, CORS headers are applied to all requests. ---
cors_expose_headers #
syntax: cors_expose_headers header ...; · default: — · context: http, server, location
Specifies which response headers are safe to expose to the browser via Access-Control-Expose-Headers. By default, browsers only expose a limited set of response headers (the safelisted response headers: Cache-Control, Content-Language, Content-Length, Content-Type, Expires, Last-Modified, Pragma). Use this directive to expose additional headers. ---
cors_max_age #
syntax: cors_max_age time; · default: — · context: http, server, location
Specifies how long (in seconds) the browser is allowed to cache the preflight response via Access-Control-Max-Age. Common values: 3600 (1 hour), 86400 (1 day). When set to 0 or not configured, the header is omitted. ---
cors_preflight_status #
syntax: cors_preflight_status 200 | 204; · default: cors_preflight_status 200; · context: http, server, location
Specifies the HTTP status code returned for preflight (OPTIONS) requests. Only 200 and 204 are valid values.
Example
http {
cors on;
cors_max_age 3600;
cors_allow_origins **;
cors_allow_methods GET HEAD PUT POST;
cors_allow_headers **;
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
}
}