CORS Configuration

By default, the Cross-Origin Resource Sharing (CORS) is disabled for REST API. To enable it, configure a list of origins that are allowed to access your REST API resources via Resources/config/oro/app.yml in any bundle or config/config.yml of your application, e.g.:

1
2
3
4
 oro_api:
     cors:
         allow_origins:
             - 'https://example.com'

You can also configure other CORS options. Here is the default configuration:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
 oro_api:
     cors:
         # The amount of seconds the user agent is allowed to cache CORS preflight requests.
         preflight_max_age: 600

         # The list of origins that are allowed to send CORS requests.
         allow_origins: []

         # Indicates whether CORS request can include user credentials.
         # This option determines whether the "Access-Control-Allow-Credentials" response header
         # should be passed within CORS requests.
         allow_credentials: false

         # The list of headers that are allowed to send by CORS requests.
         # This option specifies a list of headers that are sent
         # in the "Access-Control-Allow-Headers" response header of CORS preflight requests
         allow_headers: []

         # The list of headers that can be exposed by CORS responses.
         # This option specifies a list of headers that are sent
         # in the "Access-Control-Expose-Headers" response header of CORS requests
         expose_headers: []