Skip to content

struct Athena::Framework::Config::CORS
inherits Struct #

Configuration options for ATH::Listeners::CORS. See .configure.


Allow scoping CORS options to specific routes versus applying them to all routes.


.new(allow_credentials : Bool = false, allow_origin : Array(String | Regex) = Array(String | Regex).new, allow_headers : Array(String) = [] of String, allow_methods : Array(String) = Athena::Framework::Listeners::CORS::SAFELISTED_METHODS, expose_headers : Array(String) = [] of String, max_age : Int32 = 0)#

See .configure.

View source

Class methods#

.configure : self | ::Nil#

This method should be overridden in order to provide the configuration for ATH::Listeners::CORS. See the external documentation for more details.

By default it returns nil, which disables the listener.

# Returns an `ATH::Config::CORS` instance that will determine how the listener functions.
def ATH::Config::CORS.configure : ATH::Config::CORS?
    allow_credentials: true,
    allow_origin: %(,
    expose_headers: %w(X-Transaction-ID X-Some-Custom-Header),
View source


#allow_credentials? : Bool#

Indicates whether the request can be made using credentials.

Maps to the access-control-allow-credentials header.

View source

#allow_headers : Array(String)#

The header or headers that can be used when making the actual request.

Can be set to ["*"] to allow any headers.

maps to the access-control-allow-headers header.

View source

#allow_methods : Array(String)#

The method or methods allowed when accessing the resource.

Maps to the access-control-allow-methods header. Defaults to the CORS-safelisted methods.

View source

#allow_origin : Array(String | Regex)#

A white-listed array of valid origins. Each origin may be a static String, or a Regex.

Can be set to ["*"] to allow any origin.

View source

#expose_headers : Array(String)#

Array of headers that the browser is allowed to read from the response.

Maps to the access-control-expose-headers header.

View source

#max_age : Int32#

Number of seconds that the results of a preflight request can be cached.

Maps to the access-control-max-age header.

View source