-
Notifications
You must be signed in to change notification settings - Fork 13
Expand file tree
/
Copy pathcors.yaml
More file actions
75 lines (71 loc) · 2.05 KB
/
cors.yaml
File metadata and controls
75 lines (71 loc) · 2.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# CORS (Cross-Origin Resource Sharing)
#
# Spec-compliant CORS filter with preflight handling,
# origin validation, and credential support.
#
# The CORS filter must run before filters that reject
# requests (e.g. ip_acl, guardrails) so that preflight
# OPTIONS are handled before those filters block them.
#
# allow_credentials enables Access-Control-Allow-Credentials: true.
# Per the Fetch spec, credentials require explicit origins (not
# wildcards) for allow_origins, allow_methods, and allow_headers.
#
# Usage:
# cargo run -p praxis -- -c examples/configs/security/cors.yaml
#
# Exercise:
# # Simple request with allowed origin:
# curl -v -H "Origin: https://app.example.com" \
# http://localhost:8080/api/data
#
# # Preflight request:
# curl -v -X OPTIONS \
# -H "Origin: https://app.example.com" \
# -H "Access-Control-Request-Method: PUT" \
# -H "Access-Control-Request-Headers: Content-Type" \
# http://localhost:8080/api/data
#
# # Credentialed request (cookies sent cross-origin):
# curl -v -H "Origin: https://app.example.com" \
# --cookie "session=abc123" \
# http://localhost:8080/api/data
#
# # Disallowed origin (no CORS headers in response):
# curl -v -H "Origin: https://evil.com" \
# http://localhost:8080/api/data
listeners:
- name: default
address: "127.0.0.1:8080"
filter_chains:
- main
filter_chains:
- name: main
filters:
- filter: cors
allow_origins:
- "https://app.example.com"
- "https://*.example.com"
allow_methods:
- GET
- POST
- PUT
- DELETE
allow_headers:
- Content-Type
- Authorization
- X-Request-ID
expose_headers:
- X-Request-ID
- X-RateLimit-Remaining
max_age: 3600
allow_credentials: true
- filter: router
routes:
- path_prefix: "/"
cluster: backend
- filter: load_balancer
clusters:
- name: backend
endpoints:
- "127.0.0.1:3000"