Important

You are browsing upcoming documentation for version 6.0 of OroCommerce, OroCRM, and OroPlatform, scheduled for release in 2024. Read version 5.1 (the latest LTS version) of the Oro documentation to get up-to-date information.

See our Release Process documentation for more information on the currently supported and upcoming releases.

CORS Configuration 

By default, the Cross-Origin Resource Sharing (CORS) is disabled for REST API. To enable it, configure a list of origins that are allowed to access your REST API resources via Resources/config/oro/app.yml in any bundle or config/config.yml of your application, e.g.:

oro_api:
    cors:
        allow_origins:
            - 'https://example.com'

You can also configure other CORS options. Here is the default configuration:

oro_api:
    cors:
        # The amount of seconds the user agent is allowed to cache CORS preflight requests.
        preflight_max_age: 600

        # The list of origins that are allowed to send CORS requests.
        allow_origins: []

        # Indicates whether CORS request can include user credentials.
        # This option determines whether the "Access-Control-Allow-Credentials" response header
        # should be passed within CORS requests.
        allow_credentials: false

        # The list of headers that are allowed to send by CORS requests.
        # This option specifies a list of headers that are sent
        # in the "Access-Control-Allow-Headers" response header of CORS preflight requests
        allow_headers: []

        # The list of headers that can be exposed by CORS responses.
        # This option specifies a list of headers that are sent
        # in the "Access-Control-Expose-Headers" response header of CORS requests
        expose_headers: []