Home / Kong Plugin Hub
Edit
Report

CORS

Overview Get started Configuration reference Changelog
Related Documentation
All Gateway Documentation
Made by
Kong Inc.
Supported Gateway Topologies
hybrid db-less traditional
Supported Konnect Deployments
hybrid cloud-gateways serverless
Compatible Protocols
grpc grpcs http https
Related Resources
DNS configuration reference

The CORS plugin lets you add Cross-Origin Resource Sharing (CORS) to a Service or a Route. This allows you to automate the configuration of CORS rules, ensuring that your upstreams only accept and share resources with approved sources.

Understanding CORS

For security purposes a browser will stop requests from accessing URLs on different domains. This is done using CORS, a set of rules for web applications that make requests across origin. CORS works by looking at the HTTP origin header of a URL and checking it against a list of allowed headers. An origin header can contain the scheme, hostname, or port of the requesting URL. Operations that are restricted to same-origin content can be managed using CORS.

When making a cross-origin request, browsers issue an origin request header, and servers must respond with a matching Access-Control-Allow-Origin (ACAO) header. If the two headers do not match, the browser will discard the response, and any application components that require that response’s data will not function properly.

For example, the following request and response pairs have matching CORS headers, and will succeed:

GET / HTTP/1.1
Host: example.com
Origin: http://example.net

HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://example.net

GET / HTTP/1.1
Host: example.com
Origin: http://example.net

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *

The requests do not have a matching CORS headers and therefore will fail:

GET / HTTP/1.1
Host: example.com
Origin: http://example.net

HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://badbadcors.example

GET / HTTP/1.1
Host: example.com
Origin: http://example.net

HTTP/1.1 200 OK

Missing CORS headers when CORS headers are expected results in failure.

CORS limitations

If the client is a browser, there is a known issue with this plugin caused by a limitation of the CORS specification that prevents specifying a custom Host header in a preflight OPTIONS request.

Because of this limitation, this plugin only works for Routes that have been configured with a paths setting. The CORS plugin does not work for Routes that are being resolved using a custom DNS (the hosts property).

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support