You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/middleware/cors.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -118,7 +118,7 @@ panic: [CORS] Configuration error: When 'AllowCredentials' is set to true, 'Allo
118
118
| AllowOrigins |`[]string`| AllowOrigins defines a list of origins that may access the resource. This supports subdomain matching, so you can use a value like "https://*.example.com" to allow any subdomain of example.com to submit requests. If the special wildcard `"*"` is present in the list, all origins will be allowed. |`["*"]`|
119
119
| AllowOriginsFunc |`func(origin string) bool`|`AllowOriginsFunc` is a function that dynamically determines whether to allow a request based on its origin. If this function returns `true`, the 'Access-Control-Allow-Origin' response header will be set to the request's 'origin' header. This function is only used if the request's origin doesn't match any origin in `AllowOrigins`. |`nil`|
120
120
| AllowPrivateNetwork |`bool`| Indicates whether the `Access-Control-Allow-Private-Network` response header should be set to `true`, allowing requests from private networks. This aligns with modern security practices for web applications interacting with private networks. |`false`|
121
-
| ExposeHeaders |`string`| ExposeHeaders defines an allowlist of headers that clients are allowed to access. |`[]`|
121
+
| ExposeHeaders |`[]string`| ExposeHeaders defines an allowlist of headers that clients are allowed to access. |`[]`|
122
122
| MaxAge |`int`| MaxAge indicates how long (in seconds) the results of a preflight request can be cached. If you pass MaxAge 0, the Access-Control-Max-Age header will not be added and the browser will use 5 seconds by default. To disable caching completely, pass MaxAge value negative. It will set the Access-Control-Max-Age header to 0. |`0`|
123
123
| Next |`func(fiber.Ctx) bool`| Next defines a function to skip this middleware when returned true. |`nil`|
124
124
@@ -159,7 +159,7 @@ If you want to allow CORS requests from any subdomain of `example.com`, includin
159
159
160
160
```go
161
161
app.Use(cors.New(cors.Config{
162
-
AllowOrigins: "https://*.example.com",
162
+
AllowOrigins: []string{"https://*.example.com"},
163
163
}))
164
164
```
165
165
@@ -201,7 +201,7 @@ The `ExposeHeaders` option defines an allowlist of headers that clients are allo
201
201
202
202
The `MaxAge` option indicates how long the results of a preflight request can be cached. If `MaxAge` is set to `3600`, the middleware adds the header `Access-Control-Max-Age: 3600` to the response.
203
203
204
-
The `Vary` header is used in this middleware to inform the client that the server's response to a request. For or both preflight and actual requests, the Vary header is set to `Access-Control-Request-Method` and `Access-Control-Request-Headers`. For preflight requests, the Vary header is also set to `Origin`. The `Vary` header is important for caching. It helps caches (like a web browser's cache or a CDN) determine when a cached response can be used in response to a future request, and when the server needs to be queried for a new response.
204
+
The `Vary` header helps caches store the correct response. For simple requests the middleware sets `Vary: Origin` unless all origins are allowed. Preflight responses add `Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers` (and `Access-Control-Request-Private-Network` when enabled and requested). This ensures caches know when to reuse a response and when to revalidate with the server.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?v=4&size=40){kind=avatar}
0 commit comments