Headscale: Added an option to set an Access-Control-Allow-Origin response header to enable Cross-Origin Resource Sharing (CORS)

Jisse-Meruma · Jisse-Meruma · commit 68ce69756212 · 2025-01-31T15:38:33.000+01:00
diff --git a/config-example.yaml b/config-example.yaml
@@ -40,6 +40,13 @@ grpc_listen_addr: 127.0.0.1:50443
 # are doing.
 grpc_allow_insecure: false
 
+# The Access-Control-Allow-Origin header specifies which origins are allowed to access resources.
+# Options:
+# - "*" to allow access from any origin (not recommended for sensitive data).
+# - "http://example.com" to only allow access from a specific origin.
+# - "" to disable Cross-Origin Resource Sharing (CORS).
+access_control_allow_origin: ""
+
 # The Noise section includes specific configuration for the
 # TS2021 Noise protocol
 noise:
diff --git a/hscontrol/app.go b/hscontrol/app.go
@@ -455,10 +455,21 @@ func (h *Headscale) ensureUnixSocketIsAbsent() error {
 	return os.Remove(h.cfg.UnixSocket)
 }
 
+func (h *Headscale) corsHeadersMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Access-Control-Allow-Origin", h.cfg.AccessControlAllowOrigins)
+		next.ServeHTTP(w, r)
+	})
+}
+
 func (h *Headscale) createRouter(grpcMux *grpcRuntime.ServeMux) *mux.Router {
 	router := mux.NewRouter()
 	router.Use(prometheusMiddleware)
 
+	if h.cfg.AccessControlAllowOrigins != "" {
+		router.Use(h.corsHeadersMiddleware)
+	}
+
 	router.HandleFunc(ts2021UpgradePath, h.NoiseUpgradeHandler).Methods(http.MethodPost, http.MethodGet)
 
 	router.HandleFunc("/health", h.HealthHandler).Methods(http.MethodGet)
diff --git a/hscontrol/types/config.go b/hscontrol/types/config.go
@@ -66,6 +66,8 @@ type Config struct {
 	Log                            LogConfig
 	DisableUpdateCheck             bool
 
+	AccessControlAllowOrigins string
+
 	Database DatabaseConfig
 
 	DERP DERPConfig
@@ -332,6 +334,8 @@ func LoadConfig(path string, isFile bool) error {
 	viper.SetDefault("tuning.batch_change_delay", "800ms")
 	viper.SetDefault("tuning.node_mapsession_buffered_chan_size", 30)
 
+	viper.SetDefault("access_control_allow_origin", "")
+
 	viper.SetDefault("prefixes.allocation", string(IPAllocationStrategySequential))
 
 	if err := viper.ReadInConfig(); err != nil {
@@ -903,6 +907,8 @@ func LoadServerConfig() (*Config, error) {
 		GRPCAllowInsecure:  viper.GetBool("grpc_allow_insecure"),
 		DisableUpdateCheck: false,
 
+		AccessControlAllowOrigins: viper.GetString("access_control_allow_origin"),
+
 		PrefixV4:     prefix4,
 		PrefixV6:     prefix6,
 		IPAllocation: IPAllocationStrategy(alloc),
