Skip to main content

CORS Policy Reference

Estimated reading time: 0 min read
FieldTypeDefaultOptionalLimitationsDescription
Access-Control-Allow-Originarray["*"]Yes1 <= Number of items <= 256.Allowed origins, format: scheme://host:port,
i.e https://somehost.com:8081.
Access-Control-Allow-Headersarray["*"]Yes1 <= Number of items <= 256.Which headers are allowed to set in request when access cross-origin resource.
Access-Control-Allow-Methodsarray["*"]Yes1 <= Number of items <= 9.Which methods are allowed, i.e. GET, POST.
Access-Control-Expose-Headersarray["*"]Yes1 <= Number of items <= 256.Which headers are allowed to set in response when access cross-origin resource.
Access-Control-Allow-CredentialsbooleanfalseYesOther fields cannot be "*" if this option is trueEnable request include credentials (such as Cookie etc.).
Access-Control-Max-Ageinteger5Yes-Maximum number of seconds the results can be cached. Within this time range, the browser will reuse the last check result.
-1 means no cache. Please note that the maximum value is depended on browser, please refer to MDN for details.