AllowCredentials determines the value of the Access-Control-Allow-Credentials response header. This header indicates whether or not the response to the request can be exposed when the credentials mode (Request.credentials) is true. When used as part of a response to a preflight request, this indicates whether or not the actual request can be made using credentials. See also [MDN: Access-Control-Allow-Credentials].
Optional. Default value false, in which case the header is not set.
Security: avoid using AllowCredentials = true
with AllowOrigins = *
.
See "Exploiting CORS misconfigurations for Bitcoins and bounties",
https://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
AllowHeaders determines the value of the Access-Control-Allow-Headers response header. This header is used in response to a preflight request to indicate which HTTP headers can be used when making the actual request.
Optional. Default value []string{}.
See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers
AllowMethods determines the value of the Access-Control-Allow-Methods response header. This header specified the list of methods allowed when accessing the resource. This is used in response to a preflight request.
Optional. Default value DefaultCORSConfig.AllowMethods.
See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods
AllowOriginFunc is a custom function to validate the origin. It takes the origin as an argument and returns true if allowed or false otherwise. If an error is returned, it is returned by the handler. If this option is set, AllowOrigins is ignored.
Security: use extreme caution when handling the origin, and carefully validate any logic. Remember that attackers may register hostile domain names. See https://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
Optional.
AllowOrigins determines the value of the Access-Control-Allow-Origin response header. This header defines a list of origins that may access the resource. The wildcard characters '' and '?' are supported and are converted to regex fragments '.' and '.' accordingly.
Security: use extreme caution when handling the origin, and carefully validate any logic. Remember that attackers may register hostile domain names. See https://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
Optional. Default value []string{"*"}.
See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
ExposeHeaders determines the value of Access-Control-Expose-Headers, which defines a list of headers that clients are allowed to access.
Optional. Default value []string{}, in which case the header is not set.
See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Header
MaxAge determines the value of the Access-Control-Max-Age response header. This header indicates how long (in seconds) the results of a preflight request can be cached. The header is set only if MaxAge != 0, negative value sends "0" which instructs browsers not to cache that response.
Optional. Default value 0 - meaning header is not sent.
See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age
UnsafeWildcardOriginWithAllowCredentials UNSAFE/INSECURE: allows wildcard '*' origin to be used with AllowCredentials
flag. In that case we consider any origin allowed and send it back to the client with Access-Control-Allow-Origin
header.
This is INSECURE and potentially leads to cross-origin attacks. See: https://github.com/labstack/echo/issues/2400 for discussion on the subject.
Optional. Default value is false.
Generated using TypeDoc
CORSConfig defines the config for CORS middleware.