{
  "$id": "https://raw.githubusercontent.com/ory/x/master/.schemas/corsx/viper.schema.json",
  "$schema": "http://json-schema.org/draft-07/schema#",
  "title": "Cross Origin Resource Sharing (CORS)",
  "description": "Configure [Cross Origin Resource Sharing (CORS)](http://www.w3.org/TR/cors/) using the following options.",
  "type": "object",
  "properties": {
    "enabled": {
      "type": "boolean",
      "default": false,
      "title": "Enable CORS",
      "description": "If set to true, CORS will be enabled and preflight-requests (OPTION) will be answered."
    },
    "allowed_origins": {
      "title": "Allowed Origins",
      "description": "A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Usage of wildcards implies a small performance penality. Only one wildcard can be used per origin.",
      "type": "array",
      "items": {
        "type": "string",
        "minLength": 1
      },
      "default": [
        "*"
      ],
      "uniqueItems": true,
      "examples": [
        "https://example.com",
        "https://*.example.com",
        "https://*.foo.example.com"
      ]
    },
    "allowed_methods": {
      "type": "array",
      "title": "Allowed HTTP Methods",
      "description": "A list of methods the client is allowed to use with cross-domain requests.",
      "items": {
        "type": "string",
        "enum": [
          "GET",
          "HEAD",
          "POST",
          "PUT",
          "DELETE",
          "CONNECT",
          "TRACE",
          "PATCH"
        ]
      },
      "uniqueItems": true,
      "default": [
        "GET",
        "POST",
        "PUT",
        "PATCH",
        "DELETE"
      ]
    },
    "allowed_headers": {
      "description": "A list of non simple headers the client is allowed to use with cross-domain requests.",
      "title": "Allowed Request HTTP Headers",
      "type": "array",
      "items": {
        "type": "string"
      },
      "minLength": 1,
      "uniqueItems": true,
      "default": [
        "Authorization",
        "Content-Type"
      ]
    },
    "exposed_headers": {
      "description": "Indicates which headers are safe to expose to the API of a CORS API specification",
      "title": "Allowed Response HTTP Headers",
      "type": "array",
      "items": {
        "type": "string"
      },
      "minLength": 1,
      "uniqueItems": true,
      "default": [
        "Content-Type"
      ]
    },
    "allow_credentials": {
      "type": "boolean",
      "title": "Allow HTTP Credentials",
      "default": false,
      "description": "Indicates whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates."
    },
    "max_age": {
      "type": "number",
      "default": 0,
      "title": "Maximum Age",
      "description": "Indicates how long (in seconds) the results of a preflight request can be cached. The default is 0 which stands for no max age."},
    "debug": {
      "type": "boolean",
      "default": false,
      "title": "Enable Debugging",
      "description": "Set to true to debug server side CORS issues."
    }
  },
  "additionalProperties": false
}