Documentation Index
Fetch the complete documentation index at: https://docs.draskencloud.com/llms.txt
Use this file to discover all available pages before exploring further.
CORS policy is applied to all responses from the matched revision or endpoint. Configure it via the cors field in any policy.
Basic Configuration
{
"cors": {
"allowed_origins": ["https://app.example.com"],
"allowed_methods": ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
"allowed_headers": ["Authorization", "Content-Type"],
"max_age_secs": 86400
}
}
Allow All Origins
{
"cors": {
"allowed_origins": ["*"]
}
}
Using ["*"] with credentials is not permitted by the browser CORS spec. Use specific origins when Authorization headers are involved.
Fields
| Field | Required | Description |
|---|
allowed_origins | Yes | List of allowed origins. Use ["*"] for any origin |
allowed_methods | No | Allowed HTTP methods. Defaults to all methods if omitted |
allowed_headers | No | Allowed request headers |
max_age_secs | No | How long the browser caches the preflight response |
Apply to an App
curl -X POST http://localhost:9090/api/v1/apps \
-H "Content-Type: application/json" \
-d '{
"name": "My API",
"slug": "my-api",
"gateway_path": "/my-api",
"default_policy": {
"cors": {
"allowed_origins": ["https://dashboard.example.com", "https://app.example.com"],
"allowed_methods": ["GET", "POST", "OPTIONS"],
"allowed_headers": ["Authorization", "Content-Type", "X-Request-ID"],
"max_age_secs": 3600
}
}
}'
Override at Endpoint Level
{
"policy_override": {
"cors": {
"allowed_origins": ["https://internal-tool.example.com"],
"allowed_methods": ["GET"]
}
}
}
