Important

You are browsing the documentation for version 3.1 of OroCommerce, OroCRM and OroPlatform, which is no longer maintained. Read version 5.1 (the latest LTS version) of the Oro documentation to get up-to-date information.

See our Release Process documentation for more information on the currently supported and upcoming releases.

CORS Configuration

By default, the Cross-Origin Resource Sharing (CORS) is disabled for REST API. To enable it, configure a list of origins that are allowed to access your REST API resources via Resources/config/oro/app.yml in any bundle or config/config.yml of your application, e.g.:

1 oro_api:
2     cors:
3         allow_origins:
4             - 'https://example.com'

You can also configure other CORS options. Here is the default configuration:

 1 oro_api:
 2     cors:
 3         # The amount of seconds the user agent is allowed to cache CORS preflight requests.
 4         preflight_max_age: 600
 5
 6         # The list of origins that are allowed to send CORS requests.
 7         allow_origins: []
 8
 9         # Indicates whether CORS request can include user credentials.
10         # This option determines whether the "Access-Control-Allow-Credentials" response header
11         # should be passed within CORS requests.
12         allow_credentials: false
13
14         # The list of headers that are allowed to send by CORS requests.
15         # This option specifies a list of headers that are sent
16         # in the "Access-Control-Allow-Headers" response header of CORS preflight requests
17         allow_headers: []
18
19         # The list of headers that can be exposed by CORS responses.
20         # This option specifies a list of headers that are sent
21         # in the "Access-Control-Expose-Headers" response header of CORS requests
22         expose_headers: []