CORS Header Configuration

Last Updated: Dec 10, 2024
documentation for the dotCMS Content Management System

You can specify CORS headers to include in REST responses. These headers can be set as global defaults and can be overridden on an endpoint by endpoint basis. The endpoint-specific headers completely override the default headers; each REST resource will send the resource-specific headers (and ignore the default headers) if they have been specified, but will fall back to the default CORS headers if no resource-specific headers are configured.

Setting Global CORS Headers

To set a global default CORS header, you must define a configuration property in the following form:

DOT_API_CORS_DEFAULT_${header-name}: '${headerValue}'

For example, if you want to set the default header Access-Control-Allow-Origin: *, add the following property to the:

DOT_API_CORS_DEFAULT_ACCESS_CONTROL_ALLOW_ORIGIN: `*`

Default CORS Headers

The following CORS headers are set by default in the dotCMS properties:

DOT_API_CORS_DEFAULT_ACCESS_CONTROL_ALLOW_ORIGIN: '*'
DOT_API_CORS_DEFAULT_ACCESS_CONTROL_ALLOW_HEADERS: '*'
DOT_API_CORS_DEFAULT_ACCESS_CONTROL_ALLOW_METHODS: 'GET,PUT,POST,DELETE,HEAD,OPTIONS,PATCH'
DOT_API_CORS_DEFAULT_ACCESS_CONTROL_ALLOW_CREDENTIALS: 'true'
DOT_API_CORS_DEFAULT_ACCESS_CONTROL_EXPOSE_HEADERS: '*'

Including any of these keys as an environment variable will permit its global overwriting.

Overriding Headers for Specific Resources

To override CORS headers for a specific REST resource, you must replace DEFAULT in the appropriate key with the name of the specified resource, as follows:

DOT_API_CORS_CONTENTRESOURCE_ACCESS_CONTROL_ALLOW_CREDENTIALS: 'false'
DOT_API_CORS_CONTENTRESOURCE_ACCESS_CONTROL_ALLOW_METHODS: 'PUT'
DOT_API_CORS_CONTENTRESOURCE_ACCESS_CONTROL_ALLOW_ORIGIN: 'http://example.com/'
DOT_API_CORS_CONTENTRESOURCE_ACCESS_CONTROL_ALLOW_HEADERS: 'Authorization,Accept,Cookies,Content-Type,Content-Length'

On this page

×

We Dig Feedback

Selected excerpt:

×