CorsRegistration

<init>

Create a new CorsRegistration that allows all origins, headers, and credentials for GET, HEAD, and POST requests with max age set to 1800 seconds (30 minutes) for the specified path.

allowCredentials

Whether user credentials are supported. Be aware that enabling this option could increase the surface attack of the web application (for example via exposing sensitive user-specific information like CSRF tokens).

By default credentials are not allowed.

allowedHeaders

Set the list of headers that a pre-flight request can list as allowed for use during an actual request.

The special value "*" may be used to allow all headers.

A header name is not required to be listed if it is one of: Cache-Control, Content-Language, Expires, Last-Modified, or Pragma as per the CORS spec.

By default all headers are allowed.

allowedMethods

Set the HTTP methods to allow, e.g. "GET", "POST", etc.

The special value "*" allows all methods.

By default "simple" methods GET, HEAD, and POST are allowed.

allowedOrigins

Set the origins to allow, e.g. "http://domain1.com".

The special value "*" allows all domains.

By default, all origins are allowed.

exposedHeaders

Set the list of response headers other than "simple" headers, i.e. Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, or Pragma, that an actual response might have and can be exposed.

Note that "*" is not supported on this property.

By default this is not set.

maxAge

Configure how long in seconds the response from a pre-flight request can be cached by clients.

By default this is set to 1800 seconds (30 minutes).