Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Cross-Origin Resource Sharing (CORS) configuration
Abstract
Providing feedback on Red Hat build of Quarkus documentation
To report an error or to improve our documentation, log in to your Red Hat Jira account and submit an issue. If you do not have a Red Hat Jira account, then you will be prompted to create an account.
Procedure
- Click the following link to create a ticket.
- Enter a brief description of the issue in the Summary.
- Provide a detailed description of the issue or enhancement in the Description. Include a URL to where the issue occurs in the documentation.
- Clicking Submit creates and routes the issue to the appropriate documentation team.
Chapter 1. Cross-Origin Resource Sharing (CORS)
Enable and configure CORS in Quarkus to specify allowed origins, methods, and headers, guiding browsers in handling cross-origin requests safely.
Cross-Origin Resource Sharing (CORS) uses HTTP headers to manage browser requests for resources from external origins securely. By specifying permitted origins, methods, and headers, Quarkus servers can use the CORS filter to enable browsers to request resources across domains while maintaining controlled access. This mechanism enhances security and supports legitimate cross-origin requests. For more on origin definitions, see the Web Origin Concept.
1.1. Enabling the CORS filter
To enforce CORS policies in your application, enable the Quarkus CORS filter by adding the following line to the src/main/resources/application.properties file:
quarkus.http.cors.enabled=true
The filter intercepts all incoming HTTP requests to identify cross-origin requests and applies the configured policy. The filter then adds CORS headers to the HTTP response, informing browsers about allowed origins and access parameters. For preflight requests, the filter returns an HTTP response immediately. For regular CORS requests, the filter denies access with an HTTP 403 status if the request violates the configured policy; otherwise, the filter forwards the request to the destination if the policy allows it.
For detailed configuration options, see the following Configuration Properties section.
Configuration property fixed at build time - All other configuration properties are overridable at runtime
| Configuration property | Type | Default |
|
The origins allowed for CORS.
A comma-separated list of valid URLs, such as
Environment variable: | list of string | |
|
The HTTP methods allowed for CORS requests.
A comma-separated list of valid HTTP methods, such as Default: Any HTTP request method is allowed.
Environment variable: | list of string | |
|
The HTTP headers allowed for CORS requests.
A comma-separated list of valid headers, such as Default: Any HTTP request header is allowed.
Environment variable: | list of string | |
|
The HTTP headers exposed in CORS responses.
A comma-separated list of headers to expose, such as Default: No headers are exposed.
Environment variable: | list of string | |
|
The Informs the browser how long it can cache the results of a preflight request.
Environment variable: | ||
|
The
Tells browsers if front-end JavaScript can be allowed to access credentials when the request’s credentials mode,
Default:
Environment variable: | boolean |
To write duration values, use the standard java.time.Duration format. See the Duration#parse() Java API documentation for more information.
You can also use a simplified format, starting with a number:
- If the value is only a number, it represents time in seconds.
-
If the value is a number followed by
ms, it represents time in milliseconds.
In other cases, the simplified format is translated to the java.time.Duration format for parsing:
-
If the value is a number followed by
h,m, ors, it is prefixed withPT. -
If the value is a number followed by
d, it is prefixed withP.
1.2. Example CORS configuration
The following example shows a complete CORS filter configuration, including a regular expression to define one of the origins.
quarkus.http.cors.enabled=true 1 quarkus.http.cors.origins=http://example.com,http://www.example.io,/https://([a-z0-9\\-_]+)\\\\.app\\\\.mydomain\\\\.com/ 2 quarkus.http.cors.methods=GET,PUT,POST 3 quarkus.http.cors.headers=X-Custom 4 quarkus.http.cors.exposed-headers=Content-Disposition 5 quarkus.http.cors.access-control-max-age=24H 6 quarkus.http.cors.access-control-allow-credentials=true 7
- 1
- Enables the CORS filter.
- 2
- Specifies allowed origins, including a regular expression.
- 3
- Lists allowed HTTP methods for cross-origin requests.
- 4
- Declares custom headers that clients can include in requests.
- 5
- Identifies response headers that clients can access.
- 6
- Sets how long preflight request results are cached.
- 7
- Allows cookies or credentials in cross-origin requests.
When using regular expressions in an application.properties file, escape special characters with four backward slashes (\\\\) to ensure proper behavior. For example:
-
\\\\.matches a literal.character. -
\\.matches any single character as a regular expression metadata character.
Incorrectly escaped patterns can lead to unintended behavior or security vulnerabilities. Always verify regular expression syntax before deployment.
1.3. Allowing all origins in dev mode
Configuring origins during development can be challenging. To simplify development, consider allowing all origins in development mode only:
quarkus.http.cors.enabled=true %dev.quarkus.http.cors.origins=/.*/
Only allow all origins in the development profile (%dev). Allowing unrestricted origins in production environments poses severe security risks, such as unauthorized data access or resource abuse. For production, define explicit origins in the quarkus.http.cors.origins property.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}