APISIX CORS Configuration Guide

APISIX CORS Overview

APISIX CORS Configuration Overview

Introduction to CORS

Cross-Origin Resource Sharing (CORS) is a security feature implemented by web browsers that restricts cross-origin HTTP requests. APISIX provides comprehensive CORS support to manage these restrictions safely.

Basic CORS Configuration

Enable CORS

curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "uri": "/api/*",
    "plugins": {
        "cors": {
            "allow_origins": "*",
            "allow_methods": "GET,POST,PUT,DELETE",
            "allow_headers": "Content-Type,Authorization",
            "expose_headers": "X-Custom-Header",
            "max_age": 3600
        }
    }
}'

Advanced CORS Settings

Specific Origin Configuration

curl http://127.0.0.1:9080/apisix/admin/routes/2 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "uri": "/secure/*",
    "plugins": {
        "cors": {
            "allow_origins": "https://example.com,https://api.example.com",
            "allow_methods": "GET,POST",
            "allow_headers": "Content-Type,Authorization,X-Requested-With",
            "expose_headers": "X-Custom-Header",
            "max_age": 3600,
            "allow_credential": true
        }
    }
}'
Security Note: Avoid using allow_origins: "*" in production environments. Always specify exact origins for better security.

Handling Preflight Requests

OPTIONS Request Configuration

curl http://127.0.0.1:9080/apisix/admin/routes/3 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "uri": "/api/*",
    "plugins": {
        "cors": {
            "allow_origins": "https://example.com",
            "allow_methods": "GET,POST,PUT,DELETE,PATCH,OPTIONS",
            "allow_headers": "*",
            "max_age": 3600,
            "allow_credential": true,
            "expose_headers": "X-Request-Id"
        }
    }
}'

Best Practices

Security Recommendations

  • Specify exact origins instead of wildcards
  • Limit allowed methods to only those needed
  • Set appropriate max age for preflight caching
  • Be cautious with credentials handling
  • Regularly audit CORS configurations

Read Next

SSL Configuration

Secure your API gateway

Read More

Load Balancing

Configure load balancing

Read More