1{
2 "$id": "https://raw.githubusercontent.com/ory/x/master/.schemas/corsx/viper.schema.json",
3 "$schema": "http://json-schema.org/draft-07/schema#",
4 "title": "Cross Origin Resource Sharing (CORS)",
5 "description": "Configure [Cross Origin Resource Sharing (CORS)](http://www.w3.org/TR/cors/) using the following options.",
6 "type": "object",
7 "properties": {
8 "enabled": {
9 "type": "boolean",
10 "default": false,
11 "title": "Enable CORS",
12 "description": "If set to true, CORS will be enabled and preflight-requests (OPTION) will be answered."
13 },
14 "allowed_origins": {
15 "title": "Allowed Origins",
16 "description": "A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Usage of wildcards implies a small performance penality. Only one wildcard can be used per origin.",
17 "type": "array",
18 "items": {
19 "type": "string",
20 "minLength": 1
21 },
22 "default": [
23 "*"
24 ],
25 "uniqueItems": true,
26 "examples": [
27 "https://example.com",
28 "https://*.example.com",
29 "https://*.foo.example.com"
30 ]
31 },
32 "allowed_methods": {
33 "type": "array",
34 "title": "Allowed HTTP Methods",
35 "description": "A list of methods the client is allowed to use with cross-domain requests.",
36 "items": {
37 "type": "string",
38 "enum": [
39 "GET",
40 "HEAD",
41 "POST",
42 "PUT",
43 "DELETE",
44 "CONNECT",
45 "TRACE",
46 "PATCH"
47 ]
48 },
49 "uniqueItems": true,
50 "default": [
51 "GET",
52 "POST",
53 "PUT",
54 "PATCH",
55 "DELETE"
56 ]
57 },
58 "allowed_headers": {
59 "description": "A list of non simple headers the client is allowed to use with cross-domain requests.",
60 "title": "Allowed Request HTTP Headers",
61 "type": "array",
62 "items": {
63 "type": "string"
64 },
65 "minLength": 1,
66 "uniqueItems": true,
67 "default": [
68 "Authorization",
69 "Content-Type"
70 ]
71 },
72 "exposed_headers": {
73 "description": "Indicates which headers are safe to expose to the API of a CORS API specification",
74 "title": "Allowed Response HTTP Headers",
75 "type": "array",
76 "items": {
77 "type": "string"
78 },
79 "minLength": 1,
80 "uniqueItems": true,
81 "default": [
82 "Content-Type"
83 ]
84 },
85 "allow_credentials": {
86 "type": "boolean",
87 "title": "Allow HTTP Credentials",
88 "default": false,
89 "description": "Indicates whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates."
90 },
91 "max_age": {
92 "type": "number",
93 "default": 0,
94 "title": "Maximum Age",
95 "description": "Indicates how long (in seconds) the results of a preflight request can be cached. The default is 0 which stands for no max age."},
96 "debug": {
97 "type": "boolean",
98 "default": false,
99 "title": "Enable Debugging",
100 "description": "Set to true to debug server side CORS issues."
101 }
102 },
103 "additionalProperties": false
104}View as plain text