magento2-cors

Configuring CORS Headers

Available Configurations

We provide several configuration keys for you to configure. The configurations between REST and GraphQL are split to accomodate the “Security by Default” mentality.

web/graphql/cors_allowed_origins - A comma separated list of the origins allowed to the access the GraphQL API
web/graphql/cors_allowed_methods - A comma separated list of the allowed request methods
web/graphql/cors_allowed_headers - A comma separated list of the allowed response headers
web/graphql/cors_max_age - The duration that the CORS policy should be cached for.
web/graphql/cors_expose_headers - A comma separated list that indicates which headers can be exposed as part of the response.
web/graphql/cors_allow_credentials - Whether to allow credentials on CORS requests
web/api_rest/cors_allowed_origins - A comma separated list of the origins allowed to the access the REST API
web/api_rest/cors_allowed_methods - A comma separated list of the allowed request methods
web/api_rest/cors_allowed_headers - A comma separated list of the allowed response headers
web/api_rest/cors_max_age - The duration that the CORS policy should be cached for.
web/api_rest/cors_expose_headers - A comma separated list that indicates which headers can be exposed as part of the response.
web/api_rest/cors_allow_credentials - Whether to allow credentials on CORS requests

Configuring for local or on-premises installations

You can add the following to your app/etc/env.php to configure the package.

<?php
return [
    ...
    'system' => [
        'default' => [
            'web' => [
                'graphql' => [
                    'cors_allowed_origins' => 'https://www.graphql.com, https://www.myotherallowedorigin',
                    'cors_allowed_methods' => 'POST, OPTIONS',
                    'cors_allowed_headers' => '',
                    'cors_max_age' => '86400',
                    'cors_allow_credentials' => 1
                ],
                'api_rest' => [
                    'cors_allowed_origins' => 'https://www.restapi.com, https://www.myotherallowedorigin',
                    'cors_allowed_methods' => 'GET, POST, OPTIONS',
                    'cors_allowed_headers' => '',
                    'cors_max_age' => '86400',
                    'cors_allow_credentials' => 0
                ]
            ]
        ]
    ]
    ...
];

You can also optionally set the cors_allowed_origins key to * if you want to allow ALL origins access to the resource, but we strongly suggest you understand the ramifications of this before doing so. Note also that the CORS specification disallows a wildcard for Allowed Origins if the cors_allow_credentials flag is enabled. If this is the case, the server will instead echo the request Origin back as the Allow-Origin value.

Configuring for Commerce Cloud

In Commerce Cloud environments, the app/etc/env.php file is unavailable for configuring this module. Instead, use the cloud UI to set ENV settings, as documented at https://experienceleague.adobe.com/docs/commerce-cloud-service/user-guide/configure/env/variable-levels.html and https://experienceleague.adobe.com/en/docs/commerce-operations/configuration-guide/paths/override-config-settings. Here’s an example of syntax for the cors_allowed_methods value: Image from Commerce Cloud UI

Examples

PWAs (Angular, PWA Studio, etc)

This site is open source. Improve this page.