Vault
/sys/config/cors
[!IMPORTANT]
Documentation Update: Product documentation, which were located in this repository under/website
, are now located inhashicorp/web-unified-docs
, colocated with all other product documentation. Contributions to this content should be done in theweb-unified-docs
repo, and not this one. Changes made to/website
content in this repo will not be reflected on the developer.hashicorp.com website.
Restricted endpoint
Clients must call the API path from the root namespace.The /sys/config/cors
endpoint is used to configure CORS settings.
sudo
required – All CORS endpoints requiresudo
capability in addition to any path-specific capabilities.
Read CORS settings
This endpoint returns the current CORS configuration.
Method | Path |
---|---|
GET | /sys/config/cors |
Sample request
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/sys/config/cors
Sample response
{
"enabled": true,
"allowed_origins": ["http://www.example.com"],
"allowed_headers": [
"Content-Type",
"X-Requested-With",
"X-Vault-AWS-IAM-Server-ID",
"X-Vault-No-Request-Forwarding",
"X-Vault-Token",
"Authorization",
"X-Vault-Wrap-Format",
"X-Vault-Wrap-TTL"
]
}
Configure CORS settings
This endpoint allows configuring the origins that are permitted to make cross-origin requests, as well as headers that are allowed on cross-origin requests.
Enterprise
The CORS configuration endpoint does not apply changes across clusters. If you use performance replication, you must invoke the configuration endpoint on each secondary cluster independently to mirror the primary cluster CORS configuration.
Method | Path |
---|---|
POST | /sys/config/cors |
Parameters
allowed_origins
(string or string array: <required>)
– A wildcard (*
), comma-delimited string, or array of strings specifying the origins that are permitted to make cross-origin requests.allowed_headers
(string or string array: "" or [])
– A comma-delimited string or array of strings specifying headers that are permitted to be on cross-origin requests. Headers set via this parameter will be appended to the list of headers that Vault allows by default.
Sample payload
{
"allowed_origins": "*",
"allowed_headers": "X-Custom-Header"
}
Sample request
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/config/cors
Delete CORS settings
This endpoint removes any CORS configuration.
Method | Path |
---|---|
DELETE | /sys/config/cors |
Sample request
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/sys/config/cors