Skip to main content

/sys/config/cors

The /sys/config/cors endpoint is used to configure CORS settings.

  • sudo required – All CORS endpoints require sudo capability in addition to any path-specific capabilities.

Read CORS settings

This endpoint returns the current CORS configuration.

MethodPath
GET/sys/config/cors

Sample request

$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/sys/config/cors

Sample response

{
"enabled": true,
"allowed_origins": ["http://www.example.com"],
"allowed_headers": [
"Content-Type",
"X-Requested-With",
"X-Vault-No-Request-Forwarding",
"X-Vault-Token",
"Authorization",
"X-Vault-Wrap-Format",
"X-Vault-Wrap-TTL"
]
}

Configure CORS settings

This endpoint allows configuring the origins that are permitted to make cross-origin requests, as well as headers that are allowed on cross-origin requests.

MethodPath
POST/sys/config/cors

Parameters

  • allowed_origins (string or string array: <required>) – A wildcard (*), comma-delimited string, or array of strings specifying the origins that are permitted to make cross-origin requests.

  • allowed_headers (string or string array: "" or []) – A comma-delimited string or array of strings specifying headers that are permitted to be on cross-origin requests. Headers set via this parameter will be appended to the list of headers that OpenBao allows by default.

Sample payload

{
"allowed_origins": "*",
"allowed_headers": "X-Custom-Header"
}

Sample request

$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/config/cors

Delete CORS settings

This endpoint removes any CORS configuration.

MethodPath
DELETE/sys/config/cors

Sample request

$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/sys/config/cors