Sail

CORS

Configure Cross-Origin Resource Sharing (CORS) policies for your API.

CORS Policy Configuration

{
  "id": "default-cors",
  "allowedOrigins": [
    "https://app.example.com",
    "https://admin.example.com"
  ],
  "allowedMethods": ["GET", "POST", "PUT", "DELETE"],
  "allowedHeaders": ["Content-Type", "Authorization"],
  "allowCredentials": true,
  "maxAge": 3600
}

Apply to a route:

{
  "routeId": "api-route",
  "clusterId": "backend-api",
  "corsPolicyId": "default-cors",
  "match": {
    "path": "/api/{**catch-all}"
  }
}

Configuration Options

allowedOrigins

List of allowed origins. Use "*" to allow all origins (not recommended for production).

["https://example.com"]

allowedMethods

HTTP methods allowed for CORS requests.

["GET", "POST", "PUT", "DELETE"]

allowedHeaders

Headers that can be used in the actual request.

["Content-Type", "Authorization"]

allowCredentials

Whether to allow credentials (cookies, authorization headers).

maxAge

How long (in seconds) the preflight response can be cached.

Wildcard Origins

Security Warning: Using "*" for allowedOrigins in production is not recommended. Always specify exact origins for better security.