Red Hat SummitChapter 1. Cross-Origin Resource Sharing (CORS)
Enable and configure CORS in Quarkus to specify allowed origins, methods, and headers, guiding browsers in handling cross-origin requests safely.
Cross-Origin Resource Sharing (CORS) uses HTTP headers to manage browser requests for resources from external origins securely. By specifying permitted origins, methods, and headers, Quarkus servers can use the CORS filter to enable browsers to request resources across domains while maintaining controlled access. This mechanism enhances security and supports legitimate cross-origin requests. For more on origin definitions, see the Web Origin Concept.
1.1. Enabling the CORS filter
To enforce CORS policies in your application, enable the Quarkus CORS filter by adding the following line to the src/main/resources/application.properties file:
quarkus.http.cors.enabled=true
quarkus.http.cors.enabled=trueThe filter intercepts all incoming HTTP requests to identify cross-origin requests and applies the configured policy. The filter then adds CORS headers to the HTTP response, informing browsers about allowed origins and access parameters. For preflight requests, the filter returns an HTTP response immediately. For regular CORS requests, the filter denies access with an HTTP 403 status if the request violates the configured policy; otherwise, the filter forwards the request to the destination if the policy allows it.
For detailed configuration options, see the following Configuration Properties section.
🔒 Fixed at build time - Configuration property fixed at build time - All other configuration properties are overridable at runtime
| Configuration property | Type | Default |
|
The origins allowed for CORS.
A comma-separated list of valid URLs, such as
Environment variable: | list of string | |
|
The HTTP methods allowed for CORS requests.
A comma-separated list of valid HTTP methods, such as Default: Any HTTP request method is allowed.
Environment variable: | list of string | |
|
The HTTP headers allowed for CORS requests.
A comma-separated list of valid headers, such as Default: Any HTTP request header is allowed.
Environment variable: | list of string | |
|
The HTTP headers exposed in CORS responses.
A comma-separated list of headers to expose, such as Default: No headers are exposed.
Environment variable: | list of string | |
|
The Informs the browser how long it can cache the results of a preflight request.
Environment variable: | ||
|
The
Tells browsers if front-end JavaScript can be allowed to access credentials when the request’s credentials mode,
Default:
Environment variable: | boolean |
To write duration values, use the standard java.time.Duration format. See the Duration#parse() Java API documentation for more information.
You can also use a simplified format, starting with a number:
- If the value is only a number, it represents time in seconds.
-
If the value is a number followed by
ms, it represents time in milliseconds.
In other cases, the simplified format is translated to the java.time.Duration format for parsing:
-
If the value is a number followed by
h,m, ors, it is prefixed withPT. -
If the value is a number followed by
d, it is prefixed withP.
1.2. Example CORS configuration
The following example shows a complete CORS filter configuration, including a regular expression to define one of the origins.
- 1
- Enables the CORS filter.
- 2
- Specifies allowed origins, including a regular expression.
- 3
- Lists allowed HTTP methods for cross-origin requests.
- 4
- Declares custom headers that clients can include in requests.
- 5
- Identifies response headers that clients can access.
- 6
- Sets how long preflight request results are cached.
- 7
- Allows cookies or credentials in cross-origin requests.
When using regular expressions in an application.properties file, escape special characters with four backward slashes (\\\\) to ensure proper behavior. For example:
-
\\\\.matches a literal.character. -
\\.matches any single character as a regular expression metadata character.
Incorrectly escaped patterns can lead to unintended behavior or security vulnerabilities. Always verify regular expression syntax before deployment.
1.3. Allowing all origins in dev mode
Configuring origins during development can be challenging. To simplify development, consider allowing all origins in development mode only:
quarkus.http.cors.enabled=true %dev.quarkus.http.cors.origins=/.*/
quarkus.http.cors.enabled=true
%dev.quarkus.http.cors.origins=/.*/
Only allow all origins in the development profile (%dev). Allowing unrestricted origins in production environments poses severe security risks, such as unauthorized data access or resource abuse. For production, define explicit origins in the quarkus.http.cors.origins property.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}