Indicates whether the resource supports user credentials.
Indicates whether the resource supports user credentials. If true
, the header
Access-Control-Allow-Credentials
is set in the response, indicating that the
actual request can include user credentials. Examples of user credentials are:
cookies, HTTP authentication or client-side certificates.
Default: true
If true
, allow generic requests (that are outside the scope of the specification)
to pass through the directive.
If true
, allow generic requests (that are outside the scope of the specification)
to pass through the directive. Else, strict CORS filtering is applied and any
invalid request will be rejected.
Default: true
List of request headers that can be used when making an actual request.
List of request headers that can be used when making an actual request. Controls
the content of the Access-Control-Allow-Headers
header in a preflight response:
if parameter is *
, the headers from Access-Control-Request-Headers
are echoed.
Otherwise the parameter list is returned as part of the header.
Default: HttpHeaderRange.*
List of methods that can be used when making an actual request.
List of methods that can be used when making an actual request. The list is
returned as part of the Access-Control-Allow-Methods
preflight response header.
The preflight request will be rejected if the Access-Control-Request-Method
header's method is not part of the list.
Default: Seq(GET, POST, HEAD, OPTIONS)
List of origins that the CORS filter must allow.
List of origins that the CORS filter must allow. Can also be set to *
to allow
access to the resource from any origin. Controls the content of the
Access-Control-Allow-Origin
response header: if parameter is *
and credentials
are not allowed, a *
is set in Access-Control-Allow-Origin
. Otherwise, the
origins given in the Origin
request header are echoed.
The actual or preflight request is rejected if any of the origins from the request is not allowed.
Default: HttpOriginRange.*
List of headers (other than simple response headers) that browsers are allowed to access.
List of headers (other than simple response headers) that browsers are allowed to access.
If not empty, this list is returned as part of the Access-Control-Expose-Headers
header in the actual response.
Default: Seq.empty
When set, the amount of seconds the browser is allowed to cache the results of a preflight request.
When set, the amount of seconds the browser is allowed to cache the results of a preflight request.
This value is returned as part of the Access-Control-Max-Age
preflight response header.
If None
, the header is not added to the preflight response.
Default: Some(30 * 60)
Settings used by the CORS directives.