From cd285d4bf5e7af702ee7857e851e5fcfa0162e6b Mon Sep 17 00:00:00 2001 From: Sharad Regoti Date: Wed, 29 Apr 2026 18:03:34 +0530 Subject: [PATCH 01/10] Portal B20/B10: add Configure CORS how-to guide and CORS troubleshooting page - configure-cors.mdx: covers Portal application CORS (env vars + Helm) and Gateway CORS for Classic and OAS API definitions; includes TT-15960 regression callout and AllowedOrigins default TODO - cors-issues.mdx: troubleshooting page with four validated scenarios (Portal CORS disabled, Gateway CORS misconfigured, TT-15960 403 regression, credentials+wildcard conflict) based on OEL code analysis and customer-insights Zendesk cases --- portal/how-to-guides/configure-cors.mdx | 196 +++++++++++++++++++++++- portal/troubleshooting/cors-issues.mdx | 110 ++++++++++++- 2 files changed, 296 insertions(+), 10 deletions(-) diff --git a/portal/how-to-guides/configure-cors.mdx b/portal/how-to-guides/configure-cors.mdx index 0f0e5a912..cf4767592 100644 --- a/portal/how-to-guides/configure-cors.mdx +++ b/portal/how-to-guides/configure-cors.mdx @@ -1,8 +1,194 @@ --- -title: "Configure CORS" -description: "How to configure CORS at the Developer Portal application level and at the Tyk Gateway level for APIs exposed via the portal." +title: "How to Configure CORS" +sidebarTitle: "Configure CORS" +description: "Configure CORS for the Tyk Developer Portal application and for APIs exposed in the Live Portal, enabling consumers to test APIs from the API Playground." +keywords: "CORS, cross-origin resource sharing, Developer Portal CORS, Gateway CORS, API Playground, PORTAL_CORS_ENABLE" --- - -This page is a placeholder. Content is being written. - +Cross-origin request configuration in the Developer Portal involves two independent layers: the Portal application itself and the Tyk Gateway APIs that consumers test via the API Playground. Both layers must be configured for a fully functional cross-origin deployment. + +## Prerequisites + +- Developer Portal is deployed and accessible +- Tyk Gateway and Dashboard are running +- At least one [API product](/portal/api-products) is configured and published in the Portal +- You know the public URL of your Live Portal (for example, `https://portal.example.com`) +- You know the public URL of your Tyk Gateway (for example, `https://api.example.com`) + +## Configure Portal Application CORS + +Portal application CORS controls which external origins may call the Portal's own Admin API and Live Portal routes. It is configured via environment variables on the Portal process. + + +`PORTAL_CORS_ENABLE` defaults to `false`. All cross-origin requests to the Portal are rejected until you set this to `true`. + + +**1. Enable CORS** + +Set `PORTAL_CORS_ENABLE=true` on the Portal process. + + + + ```ini + PORTAL_CORS_ENABLE=true + ``` + + + ```yaml + extraEnvs: + - name: PORTAL_CORS_ENABLE + value: "true" + ``` + + + +**2. Set allowed origins** + +Set `PORTAL_CORS_ALLOWED_ORIGINS` to the origins permitted to make cross-origin requests to the Portal. Use the exact scheme and host of each origin, separated by commas. Wildcards are supported. + +{/* TODO: Verify the default behavior when PORTAL_CORS_ALLOWED_ORIGINS is unset. Code analysis (rs/cors library) indicates an empty slice allows all origins. The configuration reference states no origins are allowed by default. Confirm with the Portal team before documenting a specific default. */} + + + + ```ini + PORTAL_CORS_ALLOWED_ORIGINS=https://admin.example.com,https://developer.example.com + ``` + + + ```yaml + extraEnvs: + - name: PORTAL_CORS_ALLOWED_ORIGINS + value: "https://admin.example.com,https://developer.example.com" + ``` + + + + +Do not set `PORTAL_CORS_ALLOWED_ORIGINS` to `*` when `PORTAL_CORS_ALLOW_CREDENTIALS=true`. The CORS specification does not allow credentialed requests from wildcard origins. Specify each origin explicitly instead. + + +**3. Set allowed headers and methods** + +Set the HTTP headers and methods that cross-origin requests to the Portal may use. No headers are allowed by default. The default allowed methods are `GET`, `POST`, and `HEAD`. + + + + ```ini + PORTAL_CORS_ALLOWED_HEADERS=Authorization,Content-Type,X-Requested-With + PORTAL_CORS_ALLOWED_METHODS=GET,POST,PUT,DELETE,OPTIONS + ``` + + + ```yaml + extraEnvs: + - name: PORTAL_CORS_ALLOWED_HEADERS + value: "Authorization,Content-Type,X-Requested-With" + - name: PORTAL_CORS_ALLOWED_METHODS + value: "GET,POST,PUT,DELETE,OPTIONS" + ``` + + + +**4. (Optional) Configure additional CORS settings** + +| Variable | Type | Default | Description | +|---|---|---|---| +| `PORTAL_CORS_MAX_AGE` | `int` | `0` | How long, in seconds, browsers may cache the preflight response. A positive value reduces preflight round trips. | +| `PORTAL_CORS_ALLOW_CREDENTIALS` | `bool` | `false` | Whether the Portal includes credentials (cookies, HTTP authentication) in CORS responses. | +| `PORTAL_CORS_DEBUG` | `bool` | `false` | Logs CORS decisions to the Portal output. Enable temporarily when diagnosing CORS issues. | + +**5. Restart the Portal** + +Restart the Portal process or pod for the environment variable changes to take effect. + +**6. Verify** + +Open your browser developer tools and make a cross-origin request to the Portal from an allowed origin. The response headers should include `Access-Control-Allow-Origin` and the request should succeed. + +{/* TODO: Screenshot — Portal response headers in browser DevTools Network tab showing Access-Control-Allow-Origin header present */} + +--- + +## Configure Gateway CORS for APIs + +When a consumer tests an API using the API Playground on the Live Portal, the browser makes requests directly to the Tyk Gateway. The Portal does not proxy these requests and does not inject CORS headers. You must configure CORS on the API definition for each API exposed through the Portal. + + +**Tyk Gateway v5.8.6–v5.8.13:** A middleware ordering issue in these versions causes the allow list to run before CORS processing, returning `403 Forbidden` for OPTIONS preflight requests. Upgrade to Gateway v5.8.14 or later to resolve this. See [Troubleshoot CORS Issues](/portal/troubleshooting/cors-issues) for diagnosis steps. + + +### Tyk Classic API definition + +**1. Open the API in Tyk Dashboard** + +In Tyk Dashboard, go to **APIs** and open the API that belongs to your Portal API product. + +**2. Enable CORS** + +Go to the **Advanced Options** tab and expand the **CORS** section. Enable the **CORS** toggle. + +{/* TODO: Screenshot — Tyk Dashboard API designer, Advanced Options tab, CORS section enabled, showing the fields described in step 3 */} + +**3. Set allowed origins, methods, and headers** + +- **Allowed Origins**: Add the full URL of your Live Portal, for example `https://portal.example.com`. +- **Allowed Methods**: Add all HTTP methods the API supports. Include at minimum `GET`, `POST`, and `OPTIONS`. +- **Allowed Headers**: Add `Origin`, `Content-Type`, and the authentication header your API uses, for example `Authorization`. + +**4. Configure options passthrough** + +Leave **Options Passthrough** disabled (the default). When disabled, the Gateway intercepts `OPTIONS` preflight requests, adds CORS headers, and returns `200 OK` without forwarding to the upstream or enforcing authentication. Enable Options Passthrough only if your upstream service handles CORS natively. + +**5. Save the API** + +Click **Update** to save the API definition. + +**6. Verify** + +Open the API Playground on your Live Portal and send a test request. The request should complete without CORS errors in the browser console. + +### Tyk OAS API definition + +**1. Locate the CORS block** + +In a Tyk OAS API definition, CORS configuration sits under `x-tyk-api-gateway.middleware.global.cors`. + +**2. Add the CORS configuration** + +```yaml expandable +x-tyk-api-gateway: + middleware: + global: + cors: + enabled: true + allowedOrigins: + - "https://portal.example.com" + allowedMethods: + - GET + - POST + - PUT + - DELETE + - OPTIONS + allowedHeaders: + - Origin + - Content-Type + - Authorization + optionsPassthrough: false +``` + +Set `optionsPassthrough` to `false` (the default). When `false`, the Gateway intercepts OPTIONS preflight requests, responds with CORS headers, and does not forward the request to the upstream. + +**3. Import or update the API** + +Import the updated definition in Tyk Dashboard or update the API via the Tyk Dashboard API. + +**4. Verify** + +Open the API Playground on your Live Portal and send a test request. The request should complete without CORS errors in the browser console. + +--- + +## Related + +- [Troubleshoot CORS Issues](/portal/troubleshooting/cors-issues) — diagnose and fix common CORS errors in the Developer Portal and API Playground +- [Portal configuration reference](/product-stack/tyk-enterprise-developer-portal/deploy/configuration) — full list of Portal environment variables diff --git a/portal/troubleshooting/cors-issues.mdx b/portal/troubleshooting/cors-issues.mdx index c2743f738..7ab051476 100644 --- a/portal/troubleshooting/cors-issues.mdx +++ b/portal/troubleshooting/cors-issues.mdx @@ -1,8 +1,108 @@ --- -title: "CORS Issues" -description: "Troubleshoot CORS errors in the Tyk Developer Portal, including endpoint whitelisting interactions, API playground errors, and Portal vs Gateway CORS configuration." +title: "Troubleshoot CORS Issues" +description: "Diagnose and fix CORS errors in the Tyk Developer Portal and API Playground." --- - -This page is a placeholder. Content is being written. - +Cross-origin errors in the Developer Portal arise from two independent layers: the Portal application itself and the Tyk Gateway APIs that the API Playground calls directly. Identify which layer is failing before applying a fix. + + + + **Symptom** + + Requests from your application to the Portal Admin API or Live Portal routes fail. The browser console shows: + + ``` + Access to fetch at 'https://portal.example.com/...' from origin 'https://app.example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. + ``` + + Preflight `OPTIONS` requests to the Portal return `404 Not Found` or `405 Method Not Allowed`. + + **Cause** + + `PORTAL_CORS_ENABLE` is `false` (the default). The Portal's CORS middleware is disabled, so no `Access-Control-Allow-Origin` header is added to any response and `OPTIONS` preflight requests fall through to the router with no matching handler. + + **Fix** + + Enable Portal CORS and set your allowed origins. See [Configure Portal Application CORS](/portal/how-to-guides/configure-cors#configure-portal-application-cors). + + + + **Symptom** + + Test requests in the API Playground fail. The browser console shows one of: + + - `401 Unauthorized` on the `OPTIONS` preflight request + - `Access to fetch at 'https://api.example.com/...' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.` + + **Cause** + + The API definition in Tyk Gateway has CORS misconfigured: + + - **CORS disabled entirely**: The Gateway routes the `OPTIONS` preflight through the authentication middleware. Because preflight requests carry no `Authorization` header, the Gateway rejects them with `401 Unauthorized`. + - **CORS enabled but Portal origin not in the allowed list**: The Gateway intercepts the preflight and returns `200 OK`, but omits the `Access-Control-Allow-Origin` header because the Portal's origin does not match `allowed_origins`. The browser treats this as a CORS failure. + + **Fix** + + Configure CORS on the API definition and add your Portal URL to the allowed origins. See [Configure Gateway CORS for APIs](/portal/how-to-guides/configure-cors#configure-gateway-cors-for-apis). + + + + **Symptom** + + API Playground requests fail on Gateway versions v5.8.6 through v5.8.13, even when CORS is correctly configured and the Portal origin is in `allowed_origins`. The browser console shows: + + ``` + TypeError: Failed to fetch + ``` + + The `OPTIONS` preflight returns `403 Forbidden` with one of the following response bodies: + + ```json + {"error": "Requested endpoint is forbidden"} + ``` + + ```json + {"error": "Access to this API has been disallowed"} + ``` + + **Cause** + + A middleware ordering regression (TT-15960) in Gateway versions v5.8.6–v5.8.13 caused the allow-list middleware (`VersionCheck`) to run before the CORS middleware. The allow-list evaluates the `OPTIONS` method against endpoint rules and returns `403 Forbidden` before the CORS middleware can intercept and handle the preflight. + + **Fix** + + Upgrade Tyk Gateway to v5.8.14 or later, where the middleware ordering is corrected. + + + + **Symptom** + + Credentialed cross-origin requests to the Portal fail. The browser console shows: + + ``` + The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. + ``` + + **Cause** + + `PORTAL_CORS_ALLOW_CREDENTIALS=true` is set alongside `PORTAL_CORS_ALLOWED_ORIGINS=*`. The Portal's CORS library (`rs/cors`) does not reject this combination at startup — it returns both `Access-Control-Allow-Origin: *` and `Access-Control-Allow-Credentials: true` in the response. The CORS specification forbids this combination, so the browser rejects the response. + + **Fix** + + Replace the wildcard with explicit allowed origins: + + ```ini + PORTAL_CORS_ALLOWED_ORIGINS=https://admin.example.com,https://app.example.com + PORTAL_CORS_ALLOW_CREDENTIALS=true + ``` + + See [Configure Portal Application CORS](/portal/how-to-guides/configure-cors#configure-portal-application-cors). + + + +--- + +## Related + +- [Configure CORS](/portal/how-to-guides/configure-cors) — set up Portal application CORS and Gateway API CORS +- [Portal configuration reference](/product-stack/tyk-enterprise-developer-portal/deploy/configuration) — full list of Portal environment variables From 08df9a58f0b230698dec6ef3379d694c96ea7822 Mon Sep 17 00:00:00 2001 From: Sharad Regoti Date: Fri, 1 May 2026 14:28:55 +0530 Subject: [PATCH 02/10] Portal B20: apply editorial revisions to Configure CORS how-to - Remove Tyk Classic API definition section; replace with a Note callout linking to the Classic CORS reference - Promote Tyk OAS as the sole primary path for Gateway CORS config - Convert bold-prefixed pseudo-steps to proper numbered list items with continuation content indented under each step - Replace env var column in optional settings table with config keys (CORS.MaxAge, CORS.AllowCredentials) linked to their exact anchors in the configuration reference; remove PORTAL_CORS_DEBUG (not in config reference); correct default allowed methods to GET and POST --- portal/how-to-guides/configure-cors.mdx | 255 +++++++++++------------- 1 file changed, 113 insertions(+), 142 deletions(-) diff --git a/portal/how-to-guides/configure-cors.mdx b/portal/how-to-guides/configure-cors.mdx index cf4767592..d5c771c49 100644 --- a/portal/how-to-guides/configure-cors.mdx +++ b/portal/how-to-guides/configure-cors.mdx @@ -23,89 +23,88 @@ Portal application CORS controls which external origins may call the Portal's ow `PORTAL_CORS_ENABLE` defaults to `false`. All cross-origin requests to the Portal are rejected until you set this to `true`. -**1. Enable CORS** - -Set `PORTAL_CORS_ENABLE=true` on the Portal process. - - - - ```ini - PORTAL_CORS_ENABLE=true - ``` - - - ```yaml - extraEnvs: - - name: PORTAL_CORS_ENABLE - value: "true" - ``` - - - -**2. Set allowed origins** - -Set `PORTAL_CORS_ALLOWED_ORIGINS` to the origins permitted to make cross-origin requests to the Portal. Use the exact scheme and host of each origin, separated by commas. Wildcards are supported. - -{/* TODO: Verify the default behavior when PORTAL_CORS_ALLOWED_ORIGINS is unset. Code analysis (rs/cors library) indicates an empty slice allows all origins. The configuration reference states no origins are allowed by default. Confirm with the Portal team before documenting a specific default. */} - - - - ```ini - PORTAL_CORS_ALLOWED_ORIGINS=https://admin.example.com,https://developer.example.com - ``` - - - ```yaml - extraEnvs: - - name: PORTAL_CORS_ALLOWED_ORIGINS - value: "https://admin.example.com,https://developer.example.com" - ``` - - - - -Do not set `PORTAL_CORS_ALLOWED_ORIGINS` to `*` when `PORTAL_CORS_ALLOW_CREDENTIALS=true`. The CORS specification does not allow credentialed requests from wildcard origins. Specify each origin explicitly instead. - - -**3. Set allowed headers and methods** - -Set the HTTP headers and methods that cross-origin requests to the Portal may use. No headers are allowed by default. The default allowed methods are `GET`, `POST`, and `HEAD`. - - - - ```ini - PORTAL_CORS_ALLOWED_HEADERS=Authorization,Content-Type,X-Requested-With - PORTAL_CORS_ALLOWED_METHODS=GET,POST,PUT,DELETE,OPTIONS - ``` - - - ```yaml - extraEnvs: - - name: PORTAL_CORS_ALLOWED_HEADERS - value: "Authorization,Content-Type,X-Requested-With" - - name: PORTAL_CORS_ALLOWED_METHODS - value: "GET,POST,PUT,DELETE,OPTIONS" - ``` - - - -**4. (Optional) Configure additional CORS settings** - -| Variable | Type | Default | Description | -|---|---|---|---| -| `PORTAL_CORS_MAX_AGE` | `int` | `0` | How long, in seconds, browsers may cache the preflight response. A positive value reduces preflight round trips. | -| `PORTAL_CORS_ALLOW_CREDENTIALS` | `bool` | `false` | Whether the Portal includes credentials (cookies, HTTP authentication) in CORS responses. | -| `PORTAL_CORS_DEBUG` | `bool` | `false` | Logs CORS decisions to the Portal output. Enable temporarily when diagnosing CORS issues. | - -**5. Restart the Portal** - -Restart the Portal process or pod for the environment variable changes to take effect. - -**6. Verify** - -Open your browser developer tools and make a cross-origin request to the Portal from an allowed origin. The response headers should include `Access-Control-Allow-Origin` and the request should succeed. - -{/* TODO: Screenshot — Portal response headers in browser DevTools Network tab showing Access-Control-Allow-Origin header present */} +1. **Enable CORS** + + Set `PORTAL_CORS_ENABLE=true` on the Portal process. + + + + ```ini + PORTAL_CORS_ENABLE=true + ``` + + + ```yaml + extraEnvs: + - name: PORTAL_CORS_ENABLE + value: "true" + ``` + + + +2. **Set allowed origins** + + Set `PORTAL_CORS_ALLOWED_ORIGINS` to the origins permitted to make cross-origin requests to the Portal. Use the exact scheme and host of each origin, separated by commas. Wildcards are supported. + + {/* TODO: Verify the default behavior when PORTAL_CORS_ALLOWED_ORIGINS is unset. Code analysis (rs/cors library) indicates an empty slice allows all origins. The configuration reference states no origins are allowed by default. Confirm with the Portal team before documenting a specific default. */} + + + + ```ini + PORTAL_CORS_ALLOWED_ORIGINS=https://admin.example.com,https://developer.example.com + ``` + + + ```yaml + extraEnvs: + - name: PORTAL_CORS_ALLOWED_ORIGINS + value: "https://admin.example.com,https://developer.example.com" + ``` + + + + + Do not set `PORTAL_CORS_ALLOWED_ORIGINS` to `*` when `PORTAL_CORS_ALLOW_CREDENTIALS=true`. The CORS specification does not allow credentialed requests from wildcard origins. Specify each origin explicitly instead. + + +3. **Set allowed headers and methods** + + Set the HTTP headers and methods that cross-origin requests to the Portal may use. No headers are allowed by default. The default allowed methods are `GET` and `POST`. + + + + ```ini + PORTAL_CORS_ALLOWED_HEADERS=Authorization,Content-Type,X-Requested-With + PORTAL_CORS_ALLOWED_METHODS=GET,POST,PUT,DELETE,OPTIONS + ``` + + + ```yaml + extraEnvs: + - name: PORTAL_CORS_ALLOWED_HEADERS + value: "Authorization,Content-Type,X-Requested-With" + - name: PORTAL_CORS_ALLOWED_METHODS + value: "GET,POST,PUT,DELETE,OPTIONS" + ``` + + + +4. **(Optional) Configure additional CORS settings** + + | Config key | Type | Default | Description | + |---|---|---|---| + | [`CORS.MaxAge`](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-max-age) | `int` | `0` | How long, in seconds, browsers may cache the preflight response. A positive value reduces preflight round trips. | + | [`CORS.AllowCredentials`](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-allow-credentials) | `bool` | `false` | Whether the Portal includes credentials (cookies, HTTP authentication) in CORS responses. | + +5. **Restart the Portal** + + Restart the Portal process or pod for the environment variable changes to take effect. + +6. **Verify** + + Open your browser developer tools and make a cross-origin request to the Portal from an allowed origin. The response headers should include `Access-Control-Allow-Origin` and the request should succeed. + + {/* TODO: Screenshot — Portal response headers in browser DevTools Network tab showing Access-Control-Allow-Origin header present */} --- @@ -117,74 +116,46 @@ When a consumer tests an API using the API Playground on the Live Portal, the br **Tyk Gateway v5.8.6–v5.8.13:** A middleware ordering issue in these versions causes the allow list to run before CORS processing, returning `403 Forbidden` for OPTIONS preflight requests. Upgrade to Gateway v5.8.14 or later to resolve this. See [Troubleshoot CORS Issues](/portal/troubleshooting/cors-issues) for diagnosis steps. -### Tyk Classic API definition - -**1. Open the API in Tyk Dashboard** - -In Tyk Dashboard, go to **APIs** and open the API that belongs to your Portal API product. - -**2. Enable CORS** - -Go to the **Advanced Options** tab and expand the **CORS** section. Enable the **CORS** toggle. - -{/* TODO: Screenshot — Tyk Dashboard API designer, Advanced Options tab, CORS section enabled, showing the fields described in step 3 */} - -**3. Set allowed origins, methods, and headers** - -- **Allowed Origins**: Add the full URL of your Live Portal, for example `https://portal.example.com`. -- **Allowed Methods**: Add all HTTP methods the API supports. Include at minimum `GET`, `POST`, and `OPTIONS`. -- **Allowed Headers**: Add `Origin`, `Content-Type`, and the authentication header your API uses, for example `Authorization`. - -**4. Configure options passthrough** - -Leave **Options Passthrough** disabled (the default). When disabled, the Gateway intercepts `OPTIONS` preflight requests, adds CORS headers, and returns `200 OK` without forwarding to the upstream or enforcing authentication. Enable Options Passthrough only if your upstream service handles CORS natively. - -**5. Save the API** - -Click **Update** to save the API definition. - -**6. Verify** - -Open the API Playground on your Live Portal and send a test request. The request should complete without CORS errors in the browser console. - -### Tyk OAS API definition +1. **Locate the CORS block** -**1. Locate the CORS block** + In a Tyk OAS API definition, CORS configuration sits under `x-tyk-api-gateway.middleware.global.cors`. -In a Tyk OAS API definition, CORS configuration sits under `x-tyk-api-gateway.middleware.global.cors`. +2. **Add the CORS configuration** -**2. Add the CORS configuration** + ```yaml expandable + x-tyk-api-gateway: + middleware: + global: + cors: + enabled: true + allowedOrigins: + - "https://portal.example.com" + allowedMethods: + - GET + - POST + - PUT + - DELETE + - OPTIONS + allowedHeaders: + - Origin + - Content-Type + - Authorization + optionsPassthrough: false + ``` -```yaml expandable -x-tyk-api-gateway: - middleware: - global: - cors: - enabled: true - allowedOrigins: - - "https://portal.example.com" - allowedMethods: - - GET - - POST - - PUT - - DELETE - - OPTIONS - allowedHeaders: - - Origin - - Content-Type - - Authorization - optionsPassthrough: false -``` + Set `optionsPassthrough` to `false` (the default). When `false`, the Gateway intercepts OPTIONS preflight requests, responds with CORS headers, and does not forward the request to the upstream. -Set `optionsPassthrough` to `false` (the default). When `false`, the Gateway intercepts OPTIONS preflight requests, responds with CORS headers, and does not forward the request to the upstream. +3. **Import or update the API** -**3. Import or update the API** + Import the updated definition in Tyk Dashboard or update the API via the Tyk Dashboard API. -Import the updated definition in Tyk Dashboard or update the API via the Tyk Dashboard API. +4. **Verify** -**4. Verify** + Open the API Playground on your Live Portal and send a test request. The request should complete without CORS errors in the browser console. -Open the API Playground on your Live Portal and send a test request. The request should complete without CORS errors in the browser console. + +If you are using a **Tyk Classic API definition**, configure CORS in Tyk Dashboard under **APIs** > **Advanced Options** > **CORS**. See the [Classic API CORS reference](/api-management/gateway-config-tyk-classic#cross-origin-resource-sharing-cors) for details. + --- From 7f8463a00b6c6892567f8773687484fdc5dbb04c Mon Sep 17 00:00:00 2001 From: Sharad Regoti Date: Fri, 1 May 2026 14:36:13 +0530 Subject: [PATCH 03/10] Portal B20: prefer env + config file tabs, add config key links - Replace Kubernetes (Helm) tabs with Config file (JSON) tabs on all three Portal CORS steps - Link PORTAL_CORS_ENABLE and PORTAL_CORS_ALLOWED_ORIGINS to their exact anchors in the configuration reference wherever they appear in prose and warning callouts - Remove Type column from optional settings table --- portal/how-to-guides/configure-cors.mdx | 58 ++++++++++++++----------- 1 file changed, 33 insertions(+), 25 deletions(-) diff --git a/portal/how-to-guides/configure-cors.mdx b/portal/how-to-guides/configure-cors.mdx index d5c771c49..a29557220 100644 --- a/portal/how-to-guides/configure-cors.mdx +++ b/portal/how-to-guides/configure-cors.mdx @@ -20,12 +20,12 @@ Cross-origin request configuration in the Developer Portal involves two independ Portal application CORS controls which external origins may call the Portal's own Admin API and Live Portal routes. It is configured via environment variables on the Portal process. -`PORTAL_CORS_ENABLE` defaults to `false`. All cross-origin requests to the Portal are rejected until you set this to `true`. +[`PORTAL_CORS_ENABLE`](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-enable) defaults to `false`. All cross-origin requests to the Portal are rejected until you set this to `true`. 1. **Enable CORS** - Set `PORTAL_CORS_ENABLE=true` on the Portal process. + Set [`PORTAL_CORS_ENABLE`](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-enable) to `true` on the Portal process. @@ -33,18 +33,20 @@ Portal application CORS controls which external origins may call the Portal's ow PORTAL_CORS_ENABLE=true ``` - - ```yaml - extraEnvs: - - name: PORTAL_CORS_ENABLE - value: "true" + + ```json + { + "CORS": { + "Enable": true + } + } ``` 2. **Set allowed origins** - Set `PORTAL_CORS_ALLOWED_ORIGINS` to the origins permitted to make cross-origin requests to the Portal. Use the exact scheme and host of each origin, separated by commas. Wildcards are supported. + Set [`PORTAL_CORS_ALLOWED_ORIGINS`](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-allowed-origins) to the origins permitted to make cross-origin requests to the Portal. Use the exact scheme and host of each origin, separated by commas. Wildcards are supported. {/* TODO: Verify the default behavior when PORTAL_CORS_ALLOWED_ORIGINS is unset. Code analysis (rs/cors library) indicates an empty slice allows all origins. The configuration reference states no origins are allowed by default. Confirm with the Portal team before documenting a specific default. */} @@ -54,17 +56,22 @@ Portal application CORS controls which external origins may call the Portal's ow PORTAL_CORS_ALLOWED_ORIGINS=https://admin.example.com,https://developer.example.com ``` - - ```yaml - extraEnvs: - - name: PORTAL_CORS_ALLOWED_ORIGINS - value: "https://admin.example.com,https://developer.example.com" + + ```json + { + "CORS": { + "AllowedOrigins": [ + "https://admin.example.com", + "https://developer.example.com" + ] + } + } ``` - Do not set `PORTAL_CORS_ALLOWED_ORIGINS` to `*` when `PORTAL_CORS_ALLOW_CREDENTIALS=true`. The CORS specification does not allow credentialed requests from wildcard origins. Specify each origin explicitly instead. + Do not set [`PORTAL_CORS_ALLOWED_ORIGINS`](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-allowed-origins) to `*` when `PORTAL_CORS_ALLOW_CREDENTIALS=true`. The CORS specification does not allow credentialed requests from wildcard origins. Specify each origin explicitly instead. 3. **Set allowed headers and methods** @@ -78,23 +85,24 @@ Portal application CORS controls which external origins may call the Portal's ow PORTAL_CORS_ALLOWED_METHODS=GET,POST,PUT,DELETE,OPTIONS ``` - - ```yaml - extraEnvs: - - name: PORTAL_CORS_ALLOWED_HEADERS - value: "Authorization,Content-Type,X-Requested-With" - - name: PORTAL_CORS_ALLOWED_METHODS - value: "GET,POST,PUT,DELETE,OPTIONS" + + ```json + { + "CORS": { + "AllowedHeaders": ["Authorization", "Content-Type", "X-Requested-With"], + "AllowedMethods": ["GET", "POST", "PUT", "DELETE", "OPTIONS"] + } + } ``` 4. **(Optional) Configure additional CORS settings** - | Config key | Type | Default | Description | - |---|---|---|---| - | [`CORS.MaxAge`](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-max-age) | `int` | `0` | How long, in seconds, browsers may cache the preflight response. A positive value reduces preflight round trips. | - | [`CORS.AllowCredentials`](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-allow-credentials) | `bool` | `false` | Whether the Portal includes credentials (cookies, HTTP authentication) in CORS responses. | + | Config key | Default | Description | + |---|---|---| + | [`CORS.MaxAge`](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-max-age) | `0` | How long, in seconds, browsers may cache the preflight response. A positive value reduces preflight round trips. | + | [`CORS.AllowCredentials`](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-allow-credentials) | `false` | Whether the Portal includes credentials (cookies, HTTP authentication) in CORS responses. | 5. **Restart the Portal** From 927d75265be821992a8878a05466d84053cc0a63 Mon Sep 17 00:00:00 2001 From: Sharad Regoti Date: Fri, 1 May 2026 14:36:45 +0530 Subject: [PATCH 04/10] F --- portal/how-to-guides/configure-cors.mdx | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/portal/how-to-guides/configure-cors.mdx b/portal/how-to-guides/configure-cors.mdx index d5c771c49..132ab5142 100644 --- a/portal/how-to-guides/configure-cors.mdx +++ b/portal/how-to-guides/configure-cors.mdx @@ -113,7 +113,9 @@ Portal application CORS controls which external origins may call the Portal's ow When a consumer tests an API using the API Playground on the Live Portal, the browser makes requests directly to the Tyk Gateway. The Portal does not proxy these requests and does not inject CORS headers. You must configure CORS on the API definition for each API exposed through the Portal. -**Tyk Gateway v5.8.6–v5.8.13:** A middleware ordering issue in these versions causes the allow list to run before CORS processing, returning `403 Forbidden` for OPTIONS preflight requests. Upgrade to Gateway v5.8.14 or later to resolve this. See [Troubleshoot CORS Issues](/portal/troubleshooting/cors-issues) for diagnosis steps. +**Tyk Gateway v5.8.6–v5.8.13:** A middleware ordering issue in these versions causes the allow list to run before CORS processing, returning `403 Forbidden` for OPTIONS preflight requests. + +Upgrade to Gateway v5.8.14 or later to resolve this. See [Troubleshoot CORS Issues](/portal/troubleshooting/cors-issues) for diagnosis steps. 1. **Locate the CORS block** @@ -145,9 +147,9 @@ When a consumer tests an API using the API Playground on the Live Portal, the br Set `optionsPassthrough` to `false` (the default). When `false`, the Gateway intercepts OPTIONS preflight requests, responds with CORS headers, and does not forward the request to the upstream. -3. **Import or update the API** +3. **Update the API** - Import the updated definition in Tyk Dashboard or update the API via the Tyk Dashboard API. + Update the API definition in Tyk Dashboard. 4. **Verify** @@ -157,9 +159,6 @@ When a consumer tests an API using the API Playground on the Live Portal, the br If you are using a **Tyk Classic API definition**, configure CORS in Tyk Dashboard under **APIs** > **Advanced Options** > **CORS**. See the [Classic API CORS reference](/api-management/gateway-config-tyk-classic#cross-origin-resource-sharing-cors) for details. ---- - ## Related - [Troubleshoot CORS Issues](/portal/troubleshooting/cors-issues) — diagnose and fix common CORS errors in the Developer Portal and API Playground -- [Portal configuration reference](/product-stack/tyk-enterprise-developer-portal/deploy/configuration) — full list of Portal environment variables From ca3ef098ff9d3f64c796f8b19a432b3122119d76 Mon Sep 17 00:00:00 2001 From: Sharad Regoti Date: Fri, 1 May 2026 14:37:09 +0530 Subject: [PATCH 05/10] Portal B20: remove backticks from linked env/config key references --- portal/how-to-guides/configure-cors.mdx | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/portal/how-to-guides/configure-cors.mdx b/portal/how-to-guides/configure-cors.mdx index a29557220..73bcc8156 100644 --- a/portal/how-to-guides/configure-cors.mdx +++ b/portal/how-to-guides/configure-cors.mdx @@ -20,12 +20,12 @@ Cross-origin request configuration in the Developer Portal involves two independ Portal application CORS controls which external origins may call the Portal's own Admin API and Live Portal routes. It is configured via environment variables on the Portal process. -[`PORTAL_CORS_ENABLE`](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-enable) defaults to `false`. All cross-origin requests to the Portal are rejected until you set this to `true`. +[PORTAL_CORS_ENABLE](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-enable) defaults to `false`. All cross-origin requests to the Portal are rejected until you set this to `true`. 1. **Enable CORS** - Set [`PORTAL_CORS_ENABLE`](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-enable) to `true` on the Portal process. + Set [PORTAL_CORS_ENABLE](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-enable) to `true` on the Portal process. @@ -46,7 +46,7 @@ Portal application CORS controls which external origins may call the Portal's ow 2. **Set allowed origins** - Set [`PORTAL_CORS_ALLOWED_ORIGINS`](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-allowed-origins) to the origins permitted to make cross-origin requests to the Portal. Use the exact scheme and host of each origin, separated by commas. Wildcards are supported. + Set [PORTAL_CORS_ALLOWED_ORIGINS](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-allowed-origins) to the origins permitted to make cross-origin requests to the Portal. Use the exact scheme and host of each origin, separated by commas. Wildcards are supported. {/* TODO: Verify the default behavior when PORTAL_CORS_ALLOWED_ORIGINS is unset. Code analysis (rs/cors library) indicates an empty slice allows all origins. The configuration reference states no origins are allowed by default. Confirm with the Portal team before documenting a specific default. */} @@ -71,7 +71,7 @@ Portal application CORS controls which external origins may call the Portal's ow - Do not set [`PORTAL_CORS_ALLOWED_ORIGINS`](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-allowed-origins) to `*` when `PORTAL_CORS_ALLOW_CREDENTIALS=true`. The CORS specification does not allow credentialed requests from wildcard origins. Specify each origin explicitly instead. + Do not set [PORTAL_CORS_ALLOWED_ORIGINS](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-allowed-origins) to `*` when `PORTAL_CORS_ALLOW_CREDENTIALS=true`. The CORS specification does not allow credentialed requests from wildcard origins. Specify each origin explicitly instead. 3. **Set allowed headers and methods** @@ -101,8 +101,8 @@ Portal application CORS controls which external origins may call the Portal's ow | Config key | Default | Description | |---|---|---| - | [`CORS.MaxAge`](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-max-age) | `0` | How long, in seconds, browsers may cache the preflight response. A positive value reduces preflight round trips. | - | [`CORS.AllowCredentials`](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-allow-credentials) | `false` | Whether the Portal includes credentials (cookies, HTTP authentication) in CORS responses. | + | [CORS.MaxAge](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-max-age) | `0` | How long, in seconds, browsers may cache the preflight response. A positive value reduces preflight round trips. | + | [CORS.AllowCredentials](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-allow-credentials) | `false` | Whether the Portal includes credentials (cookies, HTTP authentication) in CORS responses. | 5. **Restart the Portal** From 510f29291500ae66003922cc71042ee19f279e4c Mon Sep 17 00:00:00 2001 From: Sharad Regoti Date: Fri, 1 May 2026 14:46:17 +0530 Subject: [PATCH 06/10] F --- portal/how-to-guides/configure-cors.mdx | 2 -- 1 file changed, 2 deletions(-) diff --git a/portal/how-to-guides/configure-cors.mdx b/portal/how-to-guides/configure-cors.mdx index ae854be2c..12a5bb914 100644 --- a/portal/how-to-guides/configure-cors.mdx +++ b/portal/how-to-guides/configure-cors.mdx @@ -112,8 +112,6 @@ Portal application CORS controls which external origins may call the Portal's ow Open your browser developer tools and make a cross-origin request to the Portal from an allowed origin. The response headers should include `Access-Control-Allow-Origin` and the request should succeed. - {/* TODO: Screenshot — Portal response headers in browser DevTools Network tab showing Access-Control-Allow-Origin header present */} - --- ## Configure Gateway CORS for APIs From b7fede5d0bc519a5a862e5704866faa372878b7d Mon Sep 17 00:00:00 2001 From: Sharad Regoti Date: Fri, 1 May 2026 14:55:16 +0530 Subject: [PATCH 07/10] Portal B20 + config ref: correct PORTAL_CORS_ALLOWED_ORIGINS default MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OEL confirmed: rs/cors v1.11.1 treats an empty AllowedOrigins slice as allow-all (sets allowedOriginsAll=true). When PORTAL_CORS_ALLOWED_ORIGINS is unset the Portal allows all origins — not "no origins" as previously stated. Update both B20 and configuration.mdx to reflect actual behavior. --- portal/how-to-guides/configure-cors.mdx | 2 +- .../tyk-enterprise-developer-portal/deploy/configuration.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/portal/how-to-guides/configure-cors.mdx b/portal/how-to-guides/configure-cors.mdx index 12a5bb914..99064315f 100644 --- a/portal/how-to-guides/configure-cors.mdx +++ b/portal/how-to-guides/configure-cors.mdx @@ -48,7 +48,7 @@ Portal application CORS controls which external origins may call the Portal's ow Set [PORTAL_CORS_ALLOWED_ORIGINS](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-allowed-origins) to the origins permitted to make cross-origin requests to the Portal. Use the exact scheme and host of each origin, separated by commas. Wildcards are supported. - {/* TODO: Verify the default behavior when PORTAL_CORS_ALLOWED_ORIGINS is unset. Code analysis (rs/cors library) indicates an empty slice allows all origins. The configuration reference states no origins are allowed by default. Confirm with the Portal team before documenting a specific default. */} + When unset, all origins are allowed by default. Specify origins explicitly to restrict access. diff --git a/product-stack/tyk-enterprise-developer-portal/deploy/configuration.mdx b/product-stack/tyk-enterprise-developer-portal/deploy/configuration.mdx index 418366927..c219aca3f 100644 --- a/product-stack/tyk-enterprise-developer-portal/deploy/configuration.mdx +++ b/product-stack/tyk-enterprise-developer-portal/deploy/configuration.mdx @@ -522,7 +522,7 @@ In other words, any cross-origin request will be denied. When enabled, the below **Config file:** CORS.AllowedOrigins
**Type:** `[string]`
**Description**: A list of origin domains to allow access from. Wildcards are also supported, e.g. [`*.foo.com`] will allow access from any domain that ends with *.foo.com*. -By default, no origins are allowed. To apply this setting, an array of the allowed origins. +When unset, all origins are allowed by default. Specify origins explicitly to restrict access. To configure using a configuration file: ```json From 914ee6fd62ec9e68d174254f3d31f09ecdb341c4 Mon Sep 17 00:00:00 2001 From: Sharad Regoti Date: Fri, 1 May 2026 15:10:26 +0530 Subject: [PATCH 08/10] Portal B10: apply review learnings to CORS troubleshooting page - Add sidebarTitle and keywords to frontmatter - Link PORTAL_CORS_ENABLE, PORTAL_CORS_ALLOW_CREDENTIALS, and PORTAL_CORS_ALLOWED_ORIGINS in prose to their config reference anchors - Replace em-dashes in all four accordion titles with restructured phrasing --- portal/troubleshooting/cors-issues.mdx | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/portal/troubleshooting/cors-issues.mdx b/portal/troubleshooting/cors-issues.mdx index 7ab051476..86529f429 100644 --- a/portal/troubleshooting/cors-issues.mdx +++ b/portal/troubleshooting/cors-issues.mdx @@ -1,12 +1,14 @@ --- title: "Troubleshoot CORS Issues" +sidebarTitle: "CORS Issues" description: "Diagnose and fix CORS errors in the Tyk Developer Portal and API Playground." +keywords: "CORS, troubleshooting, Access-Control-Allow-Origin, API Playground, PORTAL_CORS_ENABLE, TT-15960" --- Cross-origin errors in the Developer Portal arise from two independent layers: the Portal application itself and the Tyk Gateway APIs that the API Playground calls directly. Identify which layer is failing before applying a fix. - + **Symptom** Requests from your application to the Portal Admin API or Live Portal routes fail. The browser console shows: @@ -19,14 +21,14 @@ Cross-origin errors in the Developer Portal arise from two independent layers: t **Cause** - `PORTAL_CORS_ENABLE` is `false` (the default). The Portal's CORS middleware is disabled, so no `Access-Control-Allow-Origin` header is added to any response and `OPTIONS` preflight requests fall through to the router with no matching handler. + [PORTAL_CORS_ENABLE](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-enable) is `false` (the default). The Portal's CORS middleware is disabled, so no `Access-Control-Allow-Origin` header is added to any response and `OPTIONS` preflight requests fall through to the router with no matching handler. **Fix** Enable Portal CORS and set your allowed origins. See [Configure Portal Application CORS](/portal/how-to-guides/configure-cors#configure-portal-application-cors). - + **Symptom** Test requests in the API Playground fail. The browser console shows one of: @@ -46,7 +48,7 @@ Cross-origin errors in the Developer Portal arise from two independent layers: t Configure CORS on the API definition and add your Portal URL to the allowed origins. See [Configure Gateway CORS for APIs](/portal/how-to-guides/configure-cors#configure-gateway-cors-for-apis). - + **Symptom** API Playground requests fail on Gateway versions v5.8.6 through v5.8.13, even when CORS is correctly configured and the Portal origin is in `allowed_origins`. The browser console shows: @@ -74,7 +76,7 @@ Cross-origin errors in the Developer Portal arise from two independent layers: t Upgrade Tyk Gateway to v5.8.14 or later, where the middleware ordering is corrected. - + **Symptom** Credentialed cross-origin requests to the Portal fail. The browser console shows: @@ -85,7 +87,7 @@ Cross-origin errors in the Developer Portal arise from two independent layers: t **Cause** - `PORTAL_CORS_ALLOW_CREDENTIALS=true` is set alongside `PORTAL_CORS_ALLOWED_ORIGINS=*`. The Portal's CORS library (`rs/cors`) does not reject this combination at startup — it returns both `Access-Control-Allow-Origin: *` and `Access-Control-Allow-Credentials: true` in the response. The CORS specification forbids this combination, so the browser rejects the response. + [PORTAL_CORS_ALLOW_CREDENTIALS](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-allow-credentials)=true is set alongside [PORTAL_CORS_ALLOWED_ORIGINS](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-allowed-origins)=*. The Portal's CORS library (`rs/cors`) does not reject this combination at startup — it returns both `Access-Control-Allow-Origin: *` and `Access-Control-Allow-Credentials: true` in the response. The CORS specification forbids this combination, so the browser rejects the response. **Fix** From 524ab2a6fcf6d65c85a661f2f49c75da99ecd036 Mon Sep 17 00:00:00 2001 From: Sharad Regoti Date: Fri, 1 May 2026 15:14:54 +0530 Subject: [PATCH 09/10] F --- portal/troubleshooting/cors-issues.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/portal/troubleshooting/cors-issues.mdx b/portal/troubleshooting/cors-issues.mdx index 86529f429..20be4a52a 100644 --- a/portal/troubleshooting/cors-issues.mdx +++ b/portal/troubleshooting/cors-issues.mdx @@ -2,7 +2,7 @@ title: "Troubleshoot CORS Issues" sidebarTitle: "CORS Issues" description: "Diagnose and fix CORS errors in the Tyk Developer Portal and API Playground." -keywords: "CORS, troubleshooting, Access-Control-Allow-Origin, API Playground, PORTAL_CORS_ENABLE, TT-15960" +keywords: "CORS, troubleshooting, Access-Control-Allow-Origin, API Playground, PORTAL_CORS_ENABLE," --- Cross-origin errors in the Developer Portal arise from two independent layers: the Portal application itself and the Tyk Gateway APIs that the API Playground calls directly. Identify which layer is failing before applying a fix. @@ -48,7 +48,7 @@ Cross-origin errors in the Developer Portal arise from two independent layers: t Configure CORS on the API definition and add your Portal URL to the allowed origins. See [Configure Gateway CORS for APIs](/portal/how-to-guides/configure-cors#configure-gateway-cors-for-apis). - + **Symptom** API Playground requests fail on Gateway versions v5.8.6 through v5.8.13, even when CORS is correctly configured and the Portal origin is in `allowed_origins`. The browser console shows: @@ -69,7 +69,7 @@ Cross-origin errors in the Developer Portal arise from two independent layers: t **Cause** - A middleware ordering regression (TT-15960) in Gateway versions v5.8.6–v5.8.13 caused the allow-list middleware (`VersionCheck`) to run before the CORS middleware. The allow-list evaluates the `OPTIONS` method against endpoint rules and returns `403 Forbidden` before the CORS middleware can intercept and handle the preflight. + A middleware ordering regression in Gateway versions v5.8.6–v5.8.13 caused the allow-list middleware (`VersionCheck`) to run before the CORS middleware. The allow-list evaluates the `OPTIONS` method against endpoint rules and returns `403 Forbidden` before the CORS middleware can intercept and handle the preflight. **Fix** From e5026321c3280ec203c1b0eb3f0f8c8b6f743f31 Mon Sep 17 00:00:00 2001 From: Master Date: Fri, 1 May 2026 15:17:37 +0530 Subject: [PATCH 10/10] Apply suggestions from code review Co-authored-by: Master --- portal/how-to-guides/configure-cors.mdx | 2 +- portal/troubleshooting/cors-issues.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/portal/how-to-guides/configure-cors.mdx b/portal/how-to-guides/configure-cors.mdx index 99064315f..c71ee4509 100644 --- a/portal/how-to-guides/configure-cors.mdx +++ b/portal/how-to-guides/configure-cors.mdx @@ -1,5 +1,5 @@ --- -title: "How to Configure CORS" +title: "How to Configure CORS in Developer Portal" sidebarTitle: "Configure CORS" description: "Configure CORS for the Tyk Developer Portal application and for APIs exposed in the Live Portal, enabling consumers to test APIs from the API Playground." keywords: "CORS, cross-origin resource sharing, Developer Portal CORS, Gateway CORS, API Playground, PORTAL_CORS_ENABLE" diff --git a/portal/troubleshooting/cors-issues.mdx b/portal/troubleshooting/cors-issues.mdx index 20be4a52a..4539e3771 100644 --- a/portal/troubleshooting/cors-issues.mdx +++ b/portal/troubleshooting/cors-issues.mdx @@ -1,5 +1,5 @@ --- -title: "Troubleshoot CORS Issues" +title: "Troubleshoot CORS Issues in Developer Portal" sidebarTitle: "CORS Issues" description: "Diagnose and fix CORS errors in the Tyk Developer Portal and API Playground." keywords: "CORS, troubleshooting, Access-Control-Allow-Origin, API Playground, PORTAL_CORS_ENABLE,"