Slightly tighter CORS config for nginx
# | |
# Slightly tighter CORS config for nginx | |
# | |
# A modification of https://gist.github.com/1064640/ to include a white-list of URLs | |
# | |
# Despite the W3C guidance suggesting that a list of origins can be passed as part of | |
# Access-Control-Allow-Origin headers, several browsers (well, at least Firefox) | |
# don't seem to play nicely with this. | |
# | |
# To avoid the use of 'Access-Control-Allow-Origin: *', use a simple-ish whitelisting | |
# method to control access instead. | |
# | |
# NB: This relies on the use of the 'Origin' HTTP Header. | |
# Fork by @FGRibreau - 2018-07-16 | |
# - match all sub-domain | |
# - `add_header` with `always` param to specify CORS headers even in 5xx & 4xx responses | |
location / { | |
# will be interpreted as a case-insensitive regular expression match. | |
if ($http_origin ~ ^(.*)\.domain-name\.tld) { | |
set $cors "true"; | |
} | |
# Nginx doesn't support nested If statements. This is where things get slightly nasty. | |
# Determine the HTTP request method used | |
if ($request_method = 'OPTIONS') { | |
set $cors "${cors}options"; | |
} | |
if ($request_method = 'GET') { | |
set $cors "${cors}get"; | |
} | |
if ($request_method = 'POST') { | |
set $cors "${cors}post"; | |
} | |
if ($cors = "true") { | |
# Catch all incase there's a request method we're not dealing with properly | |
add_header 'Access-Control-Allow-Origin' "$http_origin" always; | |
} | |
if ($cors = "trueget") { | |
add_header 'Access-Control-Allow-Origin' "$http_origin" always; | |
add_header 'Access-Control-Allow-Credentials' 'true' always; | |
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always; | |
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always; | |
} | |
if ($cors = "trueoptions") { | |
add_header 'Access-Control-Allow-Origin' "$http_origin" always; | |
# | |
# Om nom nom cookies | |
# | |
add_header 'Access-Control-Allow-Credentials' 'true' always; | |
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always; | |
# | |
# Custom headers and headers various browsers *should* be OK with but aren't | |
# | |
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always; | |
# | |
# Tell client that this pre-flight info is valid for 20 days | |
# | |
add_header 'Access-Control-Max-Age' 1728000 always; | |
add_header 'Content-Type' 'text/plain charset=UTF-8' always; | |
add_header 'Content-Length' 0 always; | |
return 204; | |
} | |
if ($cors = "truepost") { | |
add_header 'Access-Control-Allow-Origin' "$http_origin" always; | |
add_header 'Access-Control-Allow-Credentials' 'true' always; | |
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always; | |
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment