CORS Configuration Reference

A CORS configuration is a JSON file in which you define the rules that identify the origins and HTTP methods that can be executed on a bucket.

With a CORS configuration, you can enable cross-origin resource sharing (CORS) on a bucket to allow the bucket to serve cross-origin requests.

This page describes the elements you can specify in a CORS configuration file. Once you have written the file, you need to apply it to your bucket. For more information, see Applying a CORS Configuration to a Bucket.

You can define up to 100 rules in a CORS configuration.

To create a CORS configuration, you need to create a JSON file following this structure:

Configuration structure
{
  "CORSRules": [
    {
      "AllowedHeaders": ["xxx","yyy"],
      "AllowedMethods": ["PUT", "POST", "DELETE"],
      "AllowedOrigins": ["https://www.example.com", "https://www.foobar.example"],
      "ExposeHeaders": ["Content-Type"],
      "MaxAgeSeconds": 3000
    },
    {
      "AllowedHeaders": ["Authorization"],
      "AllowedMethods": ["GET"],
      "AllowedOrigins": ["https://yourdomain.tld", "https://www.your_domain.com"],
      "MaxAgeSeconds": 3000
    }
  ]
}

This file contains the following attributes:

Attribute Required Description

AllowedHeaders

Yes

The headers specified in the Access-Control-Request-Headers header. These headers are allowed in preflight OPTIONS requests. In response to preflight OPTIONS requests, allowed requested headers are returned.

AllowedMethods

Yes

One or more HTTP methods (GET | PUT | HEAD | POST | DELETE) that you allow the origin to execute.

AllowedOrigins

Yes

One or more origins you want to be able to access the bucket from.

ExposeHeaders

No

One or more headers in the response that you want to make accessible.

MaxAgeSeconds

Yes

The duration in seconds that the preflight response for the specified source can be cached.

Related Pages

Export to PDF