You can specify CORS headers to include in REST responses. These headers can be set as global defaults and can be overridden on an endpoint by endpoint basis. The endpoint-specific headers completely override the default headers; each REST resource will send the resource-specific headers (and ignore the default headers) if they have been specified, but will fall back to the default CORS headers if no resource-specific headers are configured.
Setting Global CORS Headers
To set a global default CORS header, you must define a configuration property in the following form:
DOT_API_CORS_DEFAULT_${header-name}: '${headerValue}'
For example, if you want to set the default header Access-Control-Allow-Origin: *, add the following property to the:
DOT_API_CORS_DEFAULT_ACCESS_CONTROL_ALLOW_ORIGIN: `*`
Default CORS Headers
The following CORS headers are set by default in the dotCMS properties:
DOT_API_CORS_DEFAULT_ACCESS_CONTROL_ALLOW_ORIGIN: '*'
DOT_API_CORS_DEFAULT_ACCESS_CONTROL_ALLOW_HEADERS: '*'
DOT_API_CORS_DEFAULT_ACCESS_CONTROL_ALLOW_METHODS: 'GET,PUT,POST,DELETE,HEAD,OPTIONS,PATCH'
DOT_API_CORS_DEFAULT_ACCESS_CONTROL_ALLOW_CREDENTIALS: 'true'
DOT_API_CORS_DEFAULT_ACCESS_CONTROL_EXPOSE_HEADERS: '*'
Including any of these keys as an environment variable will permit its global overwriting.
Overriding Headers for Specific Resources
To override CORS headers for a specific REST resource, you must replace DEFAULT in the appropriate key with the name of the specified resource, as follows:
DOT_API_CORS_CONTENTRESOURCE_ACCESS_CONTROL_ALLOW_CREDENTIALS: 'false'
DOT_API_CORS_CONTENTRESOURCE_ACCESS_CONTROL_ALLOW_METHODS: 'PUT'
DOT_API_CORS_CONTENTRESOURCE_ACCESS_CONTROL_ALLOW_ORIGIN: 'http://example.com/'
DOT_API_CORS_CONTENTRESOURCE_ACCESS_CONTROL_ALLOW_HEADERS: 'Authorization,Accept,Cookies,Content-Type,Content-Length'
