Policies Reference



The CORS Policy Enables Cross-origin resource sharing (CORS) in Express Gateway. CORS defines a way in which a browser and server can interact and determine whether or not it is safe to allow a cross-origin request.


To enable the CORS policy, add cors in gateway.config.yml in the policies section.

  - cors
  # other policies

Example: excerpt

  - cors:
          credentials: true

Example: full

    port: 9089


  example: # will be referenced in proxy policy
    url: ''

      apiEndpoints: test_default
                origin: ''
                methods: 'HEAD,PUT,PATCH,POST,DELETE'
                allowedHeaders: 'X-TEST'
                serviceEndpoint: example

Note on security

In case the pipeline you’re putting the cors policy has a security check such as OAuth, Key or Basic you should:

  • Put the cors policy always on the top of the pipeline before the security check; otherwise the OPTIONS call will likley fail with a 401, while the browser expects a 204 to proceed with the real call
  • Make sure all the subsequent policies have a condition to make sure they do not try to handle the OPTIONS method
Options Reference
  • origin:
    • configures the Access-Control-Allow-Origin CORS header
    • Boolean: set origin to true to reflect the request origin as defined by req.header(‘Origin’), or set to false to disable CORS
    • String: set origin to a specific origin. example: will allow only requests from “”
    • Array: set origin to an array of valid origins. Each origin can be a String or RegExp. example: [", !!js/regexp /\$] will accept any request from “” or from any subdomain of “”
  • methods:
    • configures the Access-Control-Allow-Methods CORS header.
    • expects a comma-delimited string (ex: 'GET,PUT,POST') or an array (ex: ['GET', 'PUT', 'POST']).
  • allowedHeaders:
    • configures the Access-Control-Allow-Headers CORS header.
    • expects a comma-delimited string (ex: 'Content-Type,Authorization') or an array (ex: ['Content-Type', 'Authorization']).
    • if not specified, defaults to reflecting the headers specified in the request’s Access-Control-Request-Headers header.
  • exposedHeaders:
    • configures the Access-Control-Expose-Headers CORS header.
    • expects a comma-delimited string (ex: 'Content-Range,X-Content-Range') or an array (ex: ['Content-Range', 'X-Content-Range']).
    • if not specified, no custom headers are exposed.
  • credentials:
    • configures the Access-Control-Allow-Credentials CORS header.
    • set to true to pass the header, otherwise it is omitted.
  • maxAge:
    • configures the Access-Control-Max-Age CORS header.
    • set to an integer to pass the header, otherwise it is omitted.
  • preflightContinue:
    • pass the CORS preflight response to the next handler.
  • optionsSuccessStatus:
    • provides a status code to use for successful OPTIONS requests, since some legacy browsers (IE11, various SmartTVs) choke on 204.

The default configuration is the equivalent of:

  "origin": "*",
  "preflightContinue": false,
  "optionsSuccessStatus": 204