CORS Header Configuration
Static Content#
Set CORS headers on static content, like javascript files, using dotCMS Rules.
Rest APIs#
You can specify CORS headers to include in REST responses. These headers can be set as global defaults and can be overridden on an endpoint by endpoint basis. The endpoint-specific headers completely override the default headers; each REST resource will send the resource-specific headers (and ignore the default headers) if they have been specified, but will fall back to the default CORS headers if no resource-specific headers are configured.
Setting Global CORS Headers#
To set a global default CORS header, you must define a configuration property in the following form:
DOT_API_CORS_DEFAULT_${header-name}: '${headerValue}'
For example, if you want to set the default header Access-Control-Allow-Origin: *, add the following property to the:
DOT_API_CORS_DEFAULT_ACCESS_CONTROL_ALLOW_ORIGIN: `*`
Default CORS Headers#
The following CORS headers are set by default in the dotCMS properties:
DOT_API_CORS_DEFAULT_ACCESS_CONTROL_ALLOW_ORIGIN: '*' DOT_API_CORS_DEFAULT_ACCESS_CONTROL_ALLOW_HEADERS: '*' DOT_API_CORS_DEFAULT_ACCESS_CONTROL_ALLOW_METHODS: 'GET,PUT,POST,DELETE,HEAD,OPTIONS,PATCH' DOT_API_CORS_DEFAULT_ACCESS_CONTROL_ALLOW_CREDENTIALS: 'true' DOT_API_CORS_DEFAULT_ACCESS_CONTROL_EXPOSE_HEADERS: '*'
Including any of these keys as an environment variable will permit its global overwriting.
Overriding Headers for Specific Resources#
To override CORS headers for a specific REST resource, you must replace DEFAULT in the appropriate key with the name of the specified resource, as follows:
DOT_API_CORS_CONTENTRESOURCE_ACCESS_CONTROL_ALLOW_CREDENTIALS: 'false' DOT_API_CORS_CONTENTRESOURCE_ACCESS_CONTROL_ALLOW_METHODS: 'PUT' DOT_API_CORS_CONTENTRESOURCE_ACCESS_CONTROL_ALLOW_ORIGIN: 'http://example.com/' DOT_API_CORS_CONTENTRESOURCE_ACCESS_CONTROL_ALLOW_HEADERS: 'Authorization,Accept,Cookies,Content-Type,Content-Length'
Further Reading#
https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS