CORS Reference

    Overview

    Cross-Origin Resources Sharing (CORS) provides a mechanism to control permission to resources on a server on a different domain or origin than the originating request. Practically, this means that in order to make HTTP requests in JavaScript to FusionAuth when the request is coming from a different domain, CORS needs to be configured to allow the request.

    Most of the time this works as designed, you do not need to think much about CORS configuration. In some cases you may find the configuration is restricting the way you want to use FusionAuth, especially if you are building out browser-based single page applications (SPAs). If this happens, FusionAuth allows you to modify or enable the CORS filter.

    Configuration

    Available Since Version 1.8.0.

    To modify the default CORS configuration navigate to Settings → System → CORS. Please utilize caution when modifying this configuration, with great power comes great responsibility.

    CORS Configuration

    Form Fields

    Enabled

    When enabled, the CORS filter will process requests made to FusionAuth. The default setting disables the CORS filter, and all CORS requests will be denied.

    Allow credentials

    The Access-Control-Allow-Credentials response header values as described by MDN Access-Control-Allow-Credentials.

    Allowed headers

    The Access-Control-Allow-Headers response header values as described by MDN Access-Control-Allow-Headers.

    Allowed methods

    The Access-Control-Allow-Methods response header values as described by MDN Access-Control-Allow-Methods.

    Allowed origins

    The Access-Control-Allow-Origin response header values as described by MDN Access-Control-Allow-Origin. If the wildcard * is specified, no additional domains may be specified.

    Exposed headers

    The Access-Control-Expose-Headers response header values as described by MDN Access-Control-Expose-Headers.

    Preflight max age

    The Access-Control-Max-Age response header values as described by MDN Access-Control-Max-Age.

    Debug enabled Available since 1.25.0

    Enable debug to create an event log to assist you in debugging 403 HTTP response codes. When enabled, a Debug event log will be created when the FusionAuth CORS filter returns a 403 detailing the reason for the response to assist you in configuration.

    CORS Excluded URI Paths

    We have excluded some paths from FusionAuth CORS filtering in order to force same-origin browser requests on these paths. The following are the URL patterns excluded from our CORS filter.

    • /account*

    • /admin*

    • /support*

    • /ajax*

    Default Configuration

    The following reference has been provided in case you want to return the CORS filter configuration to the original values provided by FusionAuth.

    Default Configuration

    Enabled

    false, but you need this to be true to process any CORS requests.

    Allow credentials

    false

    Allowed headers

    Accept, Access-Control-Request-Headers, Access-Control-Request-Method, Authorization, Content-Type, Last-Modified, Origin, X-FusionAuth-TenantId, X-Requested-With

    Allowed methods

    • GET

    • OPTIONS

    Allowed origins

    None

    Exposed headers

    • Access-Control-Allow-Origin

    • Access-Control-Allow-Credentials

    Preflight max age

    1800

    Feedback

    How helpful was this page?

    See a problem?

    File an issue in our docs repo

    Have a question or comment to share?

    Visit the FusionAuth community forum.