You are here

CORS configuration

Cross Origin Resource Sharing (CORS) can be enabled and configured in the alfresco-global.properties file.
CORS is disabled by default. To enable it, set the following property to true:
cors.enabled=
Important: This feature is only available when using Tomcat.

If CORS is enabled then CORS requests can be made to all endpoints under /alfresco

Use the following properties to configure CORS:

Property Description
cors.allowed.origins Set the hosts allowed in cross origin requests.

By default, the value is empty, which forbids clients hosted on any server to access the resources.

You can specify a host, for example, http://www.example.org:8080, which will only allow requests from this host.

A * value permits all clients hosted on any server to access the resources.

It is recommended to restrict this setting to origins within your organization.

cors.allowed.methods Set which HTTP requests are permitted. Possible values should be comma separated and include:
  • DELETE
  • GET
  • HEAD
  • OPTIONS
  • POST
  • PUT
cors.allowed.headers Set which headers are permitted in request headers, manually or programmatically in addition to the ones set by the user agent. Values should be comma separated and include:
  • Accept
  • Access-Control-Request-Headers
  • Access-Control-Request-Method
  • Authorization
  • Cache-Control
  • Content-Type
  • Origin
  • X-CSRF-Token
  • X-Requested-With
cors.exposed.headers Set which headers are whitelisted for the client to access from the server.
cors.support.credentials Set whether HTTP cookie and HTTP authentication-based credentials are allowed.

This is a boolean value.

cors.preflight.maxage Set the maximum time for caching a preflight request.

Preflighted requests use the OPTIONS method to verify resource availability and then request it.

This property is expressed in minutes.

The following is an example configuration for the alfresco-global.properties file:

cors.enabled=true
cors.allowed.origins=http://alfresco.com:8080
cors.allowed.methods=GET,POST,PUT
cors.allowed.headers=Authorization,Content-Type,Cache-Control,X-Requested-With,X-CSRF-Token
cors.exposed.headers=Access-Control-Allow-Origin,Access-Control-Allow-Credentials
cors.support.credentials=true
cors.preflight.maxage=10

Sending feedback to the Alfresco documentation team

You don't appear to have JavaScript enabled in your browser. With JavaScript enabled, you can provide feedback to us using our simple form. Here are some instructions on how to enable JavaScript in your web browser.