CORS Reference - FusionAuth

1. Overview

Cross-Origin Resources Sharing (CORS) provide a mechanism to control permission to resources on a server on a different domain or origin than the originating request. Practically this means that in order to make HTTP requests in JavaScript to FusionAuth when the request is coming from a different domain CORS needs to be configured to allow the request.

Most of the time this works as designed you do not need to think much about CORS configuration. In some cases you may find the configuration is restricting the way you want to use FusionAuth. If this happens FusionAuth allows you to modify or disable the CORS filter.

2. Configuration

Available Since Version 1.8.0.

To modify the default CORS configuration navigate to Settings System CORS. Please utilize caution when modifying this configuration, with great power comes great responsibility.

Table 1. Form Fields
Enabled	When enabled, the CORS filter will process requests made to FusionAuth.
Allow credentials	The `Access-Control-Allow-Credentials` response header values as described by MDN Access-Control-Allow-Credentials.
Allowed headers	The `Access-Control-Allow-Headers` response header values as described by MDN Access-Control-Allow-Headers.
Allowed methods	The `Access-Control-Allow-Methods` response header values as described by MDN Access-Control-Allow-Methods.
Allowed origins	The `Access-Control-Allow-Origin` response header values as described by MDN Access-Control-Allow-Origin. If the wildcard `*` is specified, no additional domains may be specified.
Exposed headers	The `Access-Control-Expose-Headers` response header values as described by MDN Access-Control-Expose-Headers.
Preflight max age	The `Access-Control-Max-Age` response header values as described by MDN Access-Control-Max-Age.

2.1. CORS Excluded URI Paths

We have excluded some paths from FusionAuth CORS filtering in order to force same-origin browser requests on these paths. The following are the URL patterns excluded from our CORS filter.

/account*
/admin*
/support*
/ajax*

3. Default Configuration

The following reference has been provided in case you want to return the CORS filter configuration to the original values provided by FusionAuth.

Table 2. Default Configuration
Enabled	`true`
Allow credentials	`true`
Allowed headers	`Accept` `Access-Control-Request-Headers` `Access-Control-Request-Method` `Authorization Content-Type` `Last-Modified` `Origin` `X-FusionAuth-TenantId` `X-Requested-With`
Allowed methods	`GET` `POST` `PUT` `DELETE` `HEAD` `OPTIONS`
Allowed origins	`*`
Exposed headers	`Access-Control-Allow-Origin` `Access-Control-Allow-Credentials`
Preflight max age	`1800`

4. Legacy Configuration

Prior to version 1.8.0, the CORS configuration was fixed and not modifiable. Below you will find a summary of the configuration in case it is helpful.

4.1. CORS Included URI Paths

The following URLs or URL patterns will pass through the CORS filter.

/api/*
/oauth2/introspect
/oauth2/userinfo
/.well-known/openid-configuration
/.well-known/jwks
/.well-known/jwks.json

Table 3. Legacy CORS Configuration
Access-Control-Allow-Credentials	`true`
Access-Control-Allow-Origin	`*`
Access-Control-Allow-Methods	`GET,POST,HEAD,OPTIONS,PUT,DELETE`
Access-Control-Allow-Headers	`Content-Type,X-Requested-With,Accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization,Last-Modified,X-FusionAuth-TenantId`
Access-Control-Expose-Headers	`Access-Control-Allow-Origin,Access-Control-Allow-Credentials`
Access-Control-Max-Age	`1800`