cors_​support

Version: v2025-01-13Includes use: Yes

Behavior name: CORS Protocol Support

Cross-origin resource sharing (CORS) allows web pages in one domain to access restricted resources from your domain. Specify external origin hostnames, methods, and headers that you want to accept via HTTP response headers. Full support of CORS requires allowing requests that use the OPTIONS method. See allow_options.

Default behavior

These samples reflect the behavior's default settings. You can use these as is in your configurations or make adjustments based on the behavior's available options.

data "akamai_property_rules_builder" "cors_support" {
  rules_v2025_02_18 {
    name     = "CORS Protocol Support"
    comments = "Allows web pages in one domain to access restricted resources from your domain."
    behavior {
      cors_support {
        expose_headers = []
        allow_origins = "ANY"
        allow_credentials = false
        methods = [
          "GET"
          "POST"
        ]
        preflight_max_age = "600s"
        allow_headers = "ANY"
        enabled = true
      }
    }
  }
}
"behaviors": [
  {
    "name": "corsSupport",
    "options": {
      "exposeHeaders": [],
      "allowOrigins": "ANY",
      "allowCredentials": false,
      "methods": [
        "GET",
        "POST"
      ],
      "preflightMaxAge": "600s",
      "allowHeaders": "ANY",
      "enabled": true
    }
  }
]

Options

Option Description
enabled
Enables CORS feature.
allow_origins
In responses to preflight requests, sets which origin hostnames to accept requests from. Value is one of:
  • ANY. Accept from any origin hostname.
  • SPECIFIED. Accept from a set of origin hostnames.
origins
Defines the origin hostnames to accept requests from. The hostnames that you enter need to start with http or https. For detailed hostname syntax requirements, refer to RFC-952 and RFC-1123 specifications.
allow_credentials
Accepts requests made using credentials, like cookies or TLS client certificates.
allow_headers
In responses to preflight requests, defines which headers to allow when making the actual request. Value is one of:
  • ANY. Allow any headers.
  • SPECIFIED. Allow a specific set of headers.
headers
Defines the supported request headers.
methods
Specifies any combination of the following methods that are allowed when accessing the resource from an external domain.
  • DELETE
  • GET
  • PATCH
  • POST
  • PUT
expose_headers
In responses to preflight requests, lists names of headers that clients can access. By default, clients can access these response headers, but can add other header names to make them accessible to clients.
  • Cache-Control
  • Content-Language
  • Content-Type
  • Expires
  • Last-Modified
  • Pragma
preflight_max_age
Defines the number of seconds that the browser should cache the response to a preflight request.