feat: allows to configure specific CORS headers

This closes gravitee-io/issues#160
gravitee-io · Jan 26, 2018 · e3fd20e · e3fd20e
1 parent 1487292
commit e3fd20e
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/upgrades/1.13.0/README.adoc b/upgrades/1.13.0/README.adoc
@@ -8,3 +8,22 @@ Before running any script, please create a dump of your existing database.
 upgrades/1.13.0/mongodb/1-convert-groups.js::
 This script move API reference into the subscription object.
 
+== Management
+=== Security - CORS
+
+For a security reason, now you have to configure CORS, at least 'allow-origin' property. Otherwise the UI won't be able to call rest-api over a different origin.
+
+[source]
+----
+http:
+  cors:
+    # Allows to configure the header Access-Control-Allow-Origin (default value: no origins allowed)
+    # '*' is a valid value but is considered as a security risk as it will be opened to cross origin requests from anywhere.
+    #allow-origin: 'http://localhost:8080'
+    # Allows to define how long the result of the preflight request should be cached for (default value; 1728000 [20 days])
+    #max-age: 864000
+    # Which methods to allow (default value: OPTIONS, HEAD, GET, POST, PUT, DELETE)
+    #allow-methods: 'OPTIONS, HEAD, GET, POST, PUT'
+    # Which headers to allow (default value: X-Requested-With, Content-Type, Content-Length)
+    #allow-headers: 'X-Requested-With, Content-Type, Content-Length'
+----