Catch the highlights of GraphQLConf 2023! Click for recordings. Or check out our recap blog post.
Documentation
Plugins
CORS

CORS

The cors plugin enables Cross-Origin Resource Sharing (CORS) configuration for your GraphQL API.

By using this plugin, you can define rules for allowing cross-origin requests to your GraphQL server. This is essential for web applications that need to interact with your API from different domains.

Configuration

Examples

This example demonstrates how to configure the CORS plugin with a strict list of methods, headers and origins.

YAML

config:
  allow_credentials: true
  allow_private_network: false
  allowed_headers: "Content-Type, Authorization"
  allowed_methods: "GET, POST"
  allowed_origin: "https://example.com"
  max_age: 3600
enabled: true
type: "cors"

JSON

{
  "config": {
    "allow_credentials": true,
    "allow_private_network": false,
    "allowed_headers": "Content-Type, Authorization",
    "allowed_methods": "GET, POST",
    "allowed_origin": "https://example.com",
    "max_age": 3600
  },
  "enabled": true,
  "type": "cors"
}

Reference

allow_credentials
boolean
optional
default: false

Access-Control-Allow-Credentials: Specifies whether to include credentials in the CORS headers. Credentials can include cookies, authorization headers, or TLS client certificates. Indicates whether the response to the request can be exposed when the credentials flag is true.

allowed_methods
string
optional
default: "*"

Access-Control-Allow-Methods: Defines the HTTP methods allowed when accessing the resource. This is used in response to a CORS preflight request. Specifies the method or methods allowed when accessing the resource in response to a preflight request. You can also specify a special value ”*” to allow any HTTP method to access the resource.

allowed_origin
string
optional
default: "*"

Access-Control-Allow-Origin: Determines which origins are allowed to access the resource. It can be a specific origin or a wildcard for allowing any origin. You can also specify a special value ”*” to allow any origin to access the resource. You can also specify a special value “reflect” to allow the origin of the incoming request to access the resource.

allowed_headers
string
optional
default: "*"

Access-Control-Allow-Headers: Lists the headers allowed in actual requests. This helps in specifying which headers can be used when making the actual request. Used in response to a preflight request to indicate which HTTP headers can be used when making the actual request. You can also specify a special value ”*” to allow any headers to be used when making the actual request, and the Access-Control-Request-Headers will be used from the incoming request.

exposed_headers
string
optional
default: "*"

Access-Control-Expose-Headers: The “Access-Control-Expose-Headers” response header allows a server to indicate which response headers should be made available to scripts running in the browser, in response to a cross-origin request. You can also specify a special value ”*” to allow any headers to be exposed to scripts running in the browser.

allow_private_network
boolean
optional
default: false

Access-Control-Allow-Private-Network: Indicates whether requests from private networks are allowed when originating from public networks.

max_age
integer
optional

Access-Control-Max-Age: Indicates how long the results of a preflight request can be cached. This field represents the duration in seconds.