tencent cloud

Feedback

Last updated: 2023-12-22 10:00:10

    Overview

    Cross-Origin Resource Sharing (CORS) is a W3C standard. It allows web application servers to perform cross-origin access control, so that cross-origin data transfer can be conducted securely. Currently, API Gateway supports configuring CORS rules to allow or deny corresponding cross-origin requests as needed.
    If the default CORS configuration of API Gateway cannot meet your needs, you can configure custom complex CORS rules through the CORS plugin and bind them to APIs for taking effect.

    Directions

    Step 1. Create the plugin

    1. Log in to the API Gateway console.
    2. Click Plugin on the left sidebar to open the plugin list page.
    3. Click Create in the top-left corner of the page and select Cross-Origin Resource Sharing (CORS) as the plugin type to create a CORS plugin.
    Parameter
    Required
    Description
    Origin
    Yes
    Specify the origins of allowed cross-origin requests.
    You can specify multiple origins and separate them by commas.
    You can configure *, which means that all domain names are allowed.
    Be careful not to omit the protocol name http or https. If the port is not the default port 80, you also need to include the port.
    Method
    Yes
    GET, PUT, POST, DELETE, and HEAD methods are supported. You can enumerate one or more allowed CORS request methods.
    Allow-Headers
    No
    Specify the custom HTTP request headers that can be used for subsequent OPTIONS requests.
    You can specify multiple headers and separate them by commas.
    You can configure *, which means that all header are allowed.
    If you leave this parameter empty, all headers will be denied.
    Expose-Headers
    No
    Specify the headers that can be exposed to the XMLHttpRequest object.
    You can specify multiple headers and separate them by commas.
    You can configure *, which means that all header are allowed.
    If you leave this parameter empty, all headers will be denied.
    Allow Cookies
    No
    Specify whether to allow cookies.
    Max-Age
    Yes
    Set the validity period of the result obtained by OPTIONS in seconds. The value must be a positive integer, such as 600.
    
    
    

    Step 2. Bind an API and make the plugin effective

    1. Select the just created plugin in the list and click Bind API in the Operation column.
    2. In the Bind API pop-up window, select the service, environment, and the API to which the plugin needs to be bound.
    
    
    
    3. Click OK to bind the plugin to the API. At this time, the configuration of the plugin has taken effect for the API.

    PluginData

    {
    "allow_origin":[ // Allowed origins. * is supported, indicating that all domain names are allowed
    "*"
    ],
    "allow_methods":[ // Allowed method. Valid values: GET, PUT, POST, DELETE, HEAD
    "PUT",
    "GET",
    "POST",
    "DELETE",
    "HEAD"
    ],
    "allow_headers":[ // Allowed request headers. * is supported, indicating that all headers are allowed
    "X-Api-ID"
    ],
    "expose_headers":[ // Headers that can be exposed to the `XMLHttpRequest` object. * is supported, indicating that all headers are allowed
    "X-Api-ID"
    ],
    "allow_credentials":true, // Whether to allow cookies
    "max_age":600 // Validity period of the result obtained by `OPTIONS` in seconds. The value must be a positive integer, such as 600
    }

    Notes

    Currently, there are two places in API Gateway where you can set CORS rules:
    Create API > frontend configuration > CORS is supported: Enable the CORS is supported configuration item when creating an API, and API Gateway will add Access-Control-Allow-Origin : * in the response header by default.
    For more information on the CORS plugin described in this document, see Directions.
    The CORS plugin has a higher priority than the CORS is supported configuration item. When the former is bound to an API, the latter of the API will not take effect.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support