Skip to content

Enable CORS for APIs via CRs

You need to attach an APIPolicy with the cORSPolicy configuration to enable CORS for an API. Make sure the targetRef property is set to the API that you want to enable CORS. Refer the following example APIPolicy that enables CORS for the sample-api.

APIPolicy Resource with CORS Configuration

apiVersion: dp.wso2.com/v1alpha1
kind: APIPolicy
metadata:
  name: sample-api-policy
spec:
  override:
    cORSPolicy:
      enabled: true
      accessControlAllowCredentials: true
      accessControlAllowOrigins:
        - "*"
      accessControlAllowHeaders:
        - authorization
      accessControlAllowMethods:
        - GET
        - POST
      accessControlExposeHeaders:
        - "*"
  targetRef:
    group: dp.wso2.com
    kind: API
    name: sample-api

Configuration Definition

Configuration Description Sample Values
enabled Determines whether or not the API Gateway should enable CORS for the API. If the value is set to true, the API Gateway will set the CORS headers in the response. true, false
accessControlAllowCredentials Determines whether or not the response to the request can be exposed to the page. It can be exposed when the header value is true. The header value can be set to true/false by enabling/disabling the Access Control Allow Credentials configuration. true, false
accessControlAllowOrigins Determines whether a resource can be shared with the resource of a given origin. The API Gateway validates the origin request header value against the list of origins defined under the Access Control Allow Origins configuration (this can be All Allow Origins or a specific value like localhost). If the host is in the allowed origin list, it will be set as the Access-Control-Allow-Origin response header in the response. * (allow all origins), localhost, *.wso2.com
accessControlAllowHeaders Determines, as part of the response to a preflight request (a request that checks to see if the CORS protocol is understood), which header field names can be used during the actual request. The Gateway will set the header values defined under Access Control Allow Headers configurations. authorization, Access-Control-Allow-Origin, Content-type, SOAPAction, apikey, Internal-Key
accessControlAllowMethods Determines the method(s) allowed when accessing the resource in response to a preflight request. Required methods can be defined under the Access Control Allow Method configuration. GET, PUT, POST, DELETE, PATCH, OPTIONS
accessControlExposeHeaders Determines the headers that are safe to expose to the API. The Gateway will set the header values defined under Access Control Expose Headers configurations. *, Cache-Control, Content-Language, Content-Length, Content-Type

Create an API using CRs with CORS configurations

Follow the instructions below to add CORS configurations to an API via CRs:

Before you begin

Step 1 - Define the CRs

  1. Create the following Custom Resource (CR).

    • Resource API CR.
    • Production and/or Sandbox HTTPRoute CR.
    • CR that defines the service for the API backend.

      Note

      • You can find a sample set of CRs in the <APK-HOME>/samples/ directory.
      • The backend of the sample REST API is https://httpbin.org/
  2. Define the required CORS configurations in an APIPolicy CR. The following is an example CR.

apiVersion: dp.wso2.com/v1alpha1
kind: APIPolicy
metadata:
  name: sample-api-policy
spec:
  override:
    cORSPolicy:
      enabled: true
      accessControlAllowCredentials: true
      accessControlAllowOrigins:
        - "*"
      accessControlAllowHeaders:
        - authorization
      accessControlAllowMethods:
        - GET
        - POST
      accessControlExposeHeaders:
        - "*"
  targetRef:
    group: dp.wso2.com
    kind: API
    name: sample-api

Step 2 - Apply the CRs

Apply CRs to the Kubernetes API server using the kubectl.

kubectl apply -f <path-to-crs>
kubectl apply -f samples/

Note

  • The APIs should be created in the APK deployment namespace.