cors headers

[navinSing]

how to add cors headers similar to haproxy's rspadd .. etc

This would be much needed and common feature.

Need a quick fix to add (cors) headers to outgoing messages .. for now.

for ex: in haproxy's backend we add ,..
rspadd Access-Control-Allow-Origin:
rspadd Access-Control-Headers:\

Restrictions on frontends can be added later.

[emilevauge]

Hi @navinSing, this is certainly an interesting feature. As Traefik uses negroni to manage network middlewares, we could use https://github.com/rs/cors to make it work.
This is not in my top priority for now, would you be interested to make a PR on that?

[navinSing]

Hi @emilevauge
can you please give an example to make it work .. rs/cors , or a possible way to intergrate the same for now, as this is blocker for me(any example for the workaround will be helpful); else would have to switch to some other frameworks.

[navinSing]

sorry still not sure how to do it .. like rspadd Access-Control-Allow-Origin:\ etc ..

in both frontends and backends

[emilevauge]

Hi @navinSing, as I said you can't do it right now, some dev is needed to make it work.

[navinSing]

any rough timelines..
don't have much hands on with golang ..

[sandstrom]

Somewhat related, being able to modify (add/edit/remove) headers in the responses returned from backends would be nice (used for other things too). There is already a broader issue on this open: #30

Just trying to help with some issue-gardening. 🌳 🍃 🌷

[mathieu-pousse]

@navinSing practically, it is up to your backend to add the CORS headers to the response and to tune the security more than to the reverse proxy.

[michaelkrog]

@navinSing There are certainly situations where CORS from the backend is impractical.

We are in the process of dividing our backend from a monolith to many microservices. Together they expose one API. We do not want each of the services to decide the CORS header. We want one unified CORS header for the whole API – and that would fit nicely in our edge proxy.

Edit
Also, some of our services will be used by other public API's and they would need other CORS headers, when exposed there.

[zytek]

We have >100 services under one API and would also prefer to manage headers on the loadbalancer itself.

[athoune]

there is a lot of security related headers, not just CORS : https://blog.appcanary.com/2017/http-security-headers.html

[andrewmclagan]

Any movement on this issue.?

I feel allot of people use traefik as an API gateway, having forward proxy features such as CORS is such a huge win in these cases. Draining the need for each service to manage it independently.

[ldez]

You can track those PR #1292 #1236

[ldez]

Closed by #1236.