http-cors #

Support Cross-Origin Resource Sharing (CORS) in Nginx.

Source: upstream source

Directives

cors #

syntax: cors on | off;  ·  default: cors off;  ·  context: http, server, location

Master switch to enable CORS processing. When enabled, the module intercepts OPTIONS requests (preflight) and adds CORS headers to all responses that match the configured policies. ---

cors_allow_credentials #

syntax: cors_allow_credentials on | off;  ·  default: cors_allow_credentials off;  ·  context: http, server, location

Enables Access-Control-Allow-Credentials: true, allowing requests to include credentials (cookies, HTTP authentication, client certificates). ---

cors_allow_headers #

syntax: cors_allow_headers \* | \*\* | header ...;  ·  default: \*;  ·  context: http, server, location

Specifies which request headers are allowed for cross-origin requests. Supports three modes: The following safelisted headers are always allowed and will be silently skipped if you include them in the configuration: Accept, Accept-Language, Content-Language, Content-Type, Range. ---

cors_allow_methods #

syntax: cors_allow_methods \* | \*\* | method ...;  ·  default: \*;  ·  context: http, server, location

Specifies which HTTP methods are allowed for cross-origin requests. Supports three modes: Method names are case-sensitive and must be uppercase (GET, POST, PUT, DELETE, HEAD, OPTIONS, PATCH, etc.). ---

cors_allow_origins #

syntax: cors_allow_origins \* | \*\* | origin ...;  ·  default: cors_allow_origins \*;  ·  context: http, server, location

Specifies which origins are allowed to access the resource. Supports three modes: Origins can be specified as exact strings or, if PCRE support is compiled into Nginx, as regex patterns prefixed with ~: ---

cors_bypass #

syntax: cors_bypass variable ...;  ·  default:  ·  context: http, server, location

Defines conditions under which CORS processing is skipped. Accepts one or more Nginx variables. If any variable evaluates to a non-empty, non-zero value (i.e., not "" and not "0"), CORS header injection and preflight handling are bypassed for that request. Examples: When omitted, CORS headers are applied to all requests. ---

cors_expose_headers #

syntax: cors_expose_headers header ...;  ·  default:  ·  context: http, server, location

Specifies which response headers are safe to expose to the browser via Access-Control-Expose-Headers. By default, browsers only expose a limited set of response headers (the safelisted response headers: Cache-Control, Content-Language, Content-Length, Content-Type, Expires, Last-Modified, Pragma). Use this directive to expose additional headers. ---

cors_max_age #

syntax: cors_max_age time;  ·  default:  ·  context: http, server, location

Specifies how long (in seconds) the browser is allowed to cache the preflight response via Access-Control-Max-Age. Common values: 3600 (1 hour), 86400 (1 day). When set to 0 or not configured, the header is omitted. ---

cors_preflight_status #

syntax: cors_preflight_status 200 | 204;  ·  default: cors_preflight_status 200;  ·  context: http, server, location

Specifies the HTTP status code returned for preflight (OPTIONS) requests. Only 200 and 204 are valid values.

Example

http {
    cors on;
    cors_max_age           3600;
    cors_allow_origins     **;
    cors_allow_methods     GET HEAD PUT POST;
    cors_allow_headers     **;

    server {
        listen       80;
        server_name  localhost;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }
}

↑ back to index