CORS Header Configuration
You can specify CORS headers to include in REST responses. These headers can be set as global defaults and can be overridden on an endpoint by endpoint basis. The endpoint-specific headers completely override the default headers; each REST resource will send the resource-specific headers (and ignore the default headers) if they have been specified, but will fall back to the default CORS headers if no resource-specific headers are configured.
Setting Global CORS Headers#
To set a global default CORS header, you must define a configuration property in the following form:
DOT_API_CORS_DEFAULT_${header-name}: '${headerValue}'
For example, if you want to set the default header Access-Control-Allow-Origin: *, add the following property to the:
DOT_API_CORS_DEFAULT_ACCESS_CONTROL_ALLOW_ORIGIN: `*`
Default CORS Headers#
The following CORS headers are set by default in the dotCMS properties:
DOT_API_CORS_DEFAULT_ACCESS_CONTROL_ALLOW_ORIGIN: '*' DOT_API_CORS_DEFAULT_ACCESS_CONTROL_ALLOW_HEADERS: '*' DOT_API_CORS_DEFAULT_ACCESS_CONTROL_ALLOW_METHODS: 'GET,PUT,POST,DELETE,HEAD,OPTIONS,PATCH' DOT_API_CORS_DEFAULT_ACCESS_CONTROL_ALLOW_CREDENTIALS: 'true' DOT_API_CORS_DEFAULT_ACCESS_CONTROL_EXPOSE_HEADERS: '*'
Including any of these keys as an environment variable will permit its global overwriting.
Overriding Headers for Specific Resources#
To override CORS headers for a specific REST resource, you must replace DEFAULT in the appropriate key with the name of the specified resource, as follows:
DOT_API_CORS_CONTENTRESOURCE_ACCESS_CONTROL_ALLOW_CREDENTIALS: 'false' DOT_API_CORS_CONTENTRESOURCE_ACCESS_CONTROL_ALLOW_METHODS: 'PUT' DOT_API_CORS_CONTENTRESOURCE_ACCESS_CONTROL_ALLOW_ORIGIN: 'http://example.com/' DOT_API_CORS_CONTENTRESOURCE_ACCESS_CONTROL_ALLOW_HEADERS: 'Authorization,Accept,Cookies,Content-Type,Content-Length'