Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Example Nginx configuration for adding cross-origin resource sharing (CORS) support to reverse proxied APIs
#
# CORS header support
#
# One way to use this is by placing it into a file called "cors_support"
# under your Nginx configuration directory and placing the following
# statement inside your **location** block(s):
#
# include cors_support;
#
# As of Nginx 1.7.5, add_header supports an "always" parameter which
# allows CORS to work if the backend returns 4xx or 5xx status code.
#
# For more information on CORS, please see: http://enable-cors.org/
# Forked from this Gist: https://gist.github.com/michiel/1064640
#
set $cors '';
if ($http_origin ~ '^https?://(localhost|www\.yourdomain\.com|www\.yourotherdomain\.com)') {
set $cors 'true';
}
if ($cors = 'true') {
add_header 'Access-Control-Allow-Origin' "$http_origin" always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
# required to be able to read Authorization header in frontend
#add_header 'Access-Control-Expose-Headers' 'Authorization' always;
}
if ($request_method = 'OPTIONS') {
# Tell client that this pre-flight info is valid for 20 days
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
@semusi

This comment has been minimized.

Copy link

semusi commented Jun 4, 2014

where should i put this - should it be at the end of /etc/nginx/sites-enabled in the site config

@Stanback

This comment has been minimized.

Copy link
Owner Author

Stanback commented Jul 10, 2014

@semusi You should place it within the curly braces in the server { ... } block of your configuration, which you will find inside the file(s) in /etc/nginx/sites-enabled/. It shouldn't matter where you place it within the server block.

Edit: You should put it in your location block(s).

If you have multiple server blocks that you want to use CORS with, you can also save this as a separate file in /etc/nginx/cors and within your server blocks, enter "include cors;" which will include the file.

@akhildave

This comment has been minimized.

Copy link

akhildave commented Nov 25, 2014

Thanks for this code.

@kadamska

This comment has been minimized.

Copy link

kadamska commented Jan 6, 2015

Is there any workaround to set the headers (and get the content) when the server returns a 4xx or 5xx status code?

@chrisco23

This comment has been minimized.

Copy link

chrisco23 commented Jun 2, 2015

I just tried this for an issue I'm having getting a meteor android app connected, but "nginx -t" gives:

2015/06/02 12:31:55 [emerg] 7055#0: "add_header" directive is not allowed here in /etc/nginx/sites-enabled/mysite.com.conf:22

I'm running nginx 1.8.0 on Ubuntu 14.04. Has something changed recently?

@masskoder

This comment has been minimized.

Copy link

masskoder commented Jun 13, 2015

I have a same problem with chrisco 23

@ralavay

This comment has been minimized.

Copy link

ralavay commented Jun 15, 2015

@chrisco23 If you are using Ubuntu then should install nginx-extras package to use more_set_headers config

sudo apt-get install nginx-extras
@manelclos

This comment has been minimized.

Copy link

manelclos commented Dec 22, 2015

awesome! thanks!

@RubenHoms

This comment has been minimized.

Copy link

RubenHoms commented Jan 22, 2016

Thanks for this! For people having trouble saying that the "add_header" directive is not allowed here, move the code inside of the location brackets instead of on the server{} level of your configuration.

@ravitx12

This comment has been minimized.

Copy link

ravitx12 commented Feb 9, 2016

Is there a reason why you separated the first 2 if statements? Will it not work if I combine and eliminate the variable?

@daaain

This comment has been minimized.

Copy link

daaain commented Feb 9, 2016

One painful caveat I just discovered is that nginx (as of 1.9) treats the if block as separate context, so if you have add_header elsewhere in the block where you include this then it won't work. Otherwise great one, much nicer than the header repeating ones Google throws up on the top!

@agouriou

This comment has been minimized.

Copy link

agouriou commented Jun 8, 2016

Thanks for this gist. I forked it for Nginx > 1.9 with support for 4xx and 5xx response and exposition of authorization header. https://gist.github.com/agouriou/735daacf7530675552ff248f319a07d9

@marcoacm

This comment has been minimized.

Copy link

marcoacm commented Nov 4, 2016

Does this work if I am running javascript on my page that manipulates the page on the nginx server?

For example:
another = window.open("http://site-on-ngix.com/page.php", "_blank");
another.document.getElementsByName("name")[0].value= "marco";

I keep getting
"Uncaught DOMException: Blocked a frame with origin"

@ghost

This comment has been minimized.

Copy link

ghost commented Nov 4, 2016

Thanks for this! It works great. Something I discovered: When serving up polygons, if they are styled with a fill opacity of 0.0, GetFeatureInfo will not return any data (unless you click the outline of the polygon). Changing style fill opacity to 0.1 fixed this.

@Stanback

This comment has been minimized.

Copy link
Owner Author

Stanback commented Nov 8, 2016

Thanks for the comments guys, I've updated this gist to include support the "always" parameter for nginx 1.7.5+ so that you can get non-200 responses returned back correctly.

I've also added a line for exposing the authorization header based on @agouriou's fork.

In addition, I removed the proprietary X-Mx-ReqToken header and added directives for caching for pre-flight requests, with a content length set to avoid chunked responses.

@fakirpic

This comment has been minimized.

Copy link

fakirpic commented Dec 4, 2016

does it work for both of http and https?

@jDeppen

This comment has been minimized.

Copy link

jDeppen commented Dec 9, 2016

Yes, @fakirpic. The 's' is optional because of the question mark
https?

@veryeasily

This comment has been minimized.

Copy link

veryeasily commented Jan 18, 2017

This doesn't appear to work if included in a location that uses try_files because of this situation https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ . Any idea how to get around this?

@habovh

This comment has been minimized.

Copy link

habovh commented Jan 27, 2017

Correct me if I'm wrong, but you're defining the $cors variable only to use it once, which makes it useless. So you can actually simplify your first if to use line 18 for the conditional.
However if your goal was to use the $cors variable in the second if block (to prevent from returning CORS headers from any origin), you should actually do something like my forked gist: https://gist.github.com/habovh/23506240581b3ca5edc236948808799f

@bunlongheng

This comment has been minimized.

Copy link

bunlongheng commented Feb 3, 2017

I've added those codes above in my server { . . . } as suggested. I kept getting

nginx: [emerg] "add_header" directive is not allowed here in /etc/nginx/sites-enabled/d.site.com:26
nginx: configuration file /etc/nginx/nginx.conf test failed

Here is my entire configs

server {

    listen 80;
    server_name d.site.com;
    root /home/forge/d.site.com/distributor-application/laravel/public;

    # Enable this line for debugging to see which php.ini get use ... $php --ini
    # root /home/forge/d.site.com/public;


    # FORGE SSL (DO NOT REMOVE!)
    # ssl_certificate;
    # ssl_certificate_key;

    index index.html index.htm index.php;

    charset utf-8;


    set $cors '';
    if ($http_origin ~ '^https?://(localhost|www\.site\.com|www\.d.site\.com|www.\.jsfiddle\.net)') {
            set $cors 'true';
    }

    if ($cors = 'true') {
            add_header 'Access-Control-Allow-Origin' "$http_origin" always;
            add_header 'Access-Control-Allow-Credentials' 'true' always;
            add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
            add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
            # required to be able to read Authorization header in frontend
            #add_header 'Access-Control-Expose-Headers' 'Authorization' always;
    }

    if ($request_method = 'OPTIONS') {
            # Tell client that this pre-flight info is valid for 20 days
            add_header 'Access-Control-Max-Age' 1728000;
            add_header 'Content-Type' 'text/plain charset=UTF-8';
            add_header 'Content-Length' 0;
            return 204;
    }



    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log  /var/log/nginx/d.site.com-error.log error;

    error_page 404 /index.php;

    location ~ \.php$ {

        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_read_timeout 600;
       fastcgi_send_timeout 600;
       fastcgi_buffers 16 16k;
       fastcgi_buffer_size 32k;
        fastcgi_index index.php;
        include fastcgi_params;

    }

    location ~ /\.ht {
        deny all;
    }

}

Please let me know what I did wrong !!!

@felipekm

This comment has been minimized.

Copy link

felipekm commented Mar 9, 2017

@bunlongheng you must to put your add_header inside location / {

@ejcx

This comment has been minimized.

Copy link

ejcx commented Apr 3, 2017

Please read this comment if you plan to use the above gist.

The above code contains a very serious vulnerability. Specifically this line:

Vulnerable

if ($http_origin ~ '^https?://(localhost|www\.site\.com|www\.d.site\.com|www.\.jsfiddle\.net)') {

Safe

Note, the $ at the end of the regex, terminating the line. What is actually meant is:

if ($http_origin ~ '^https?://(localhost|www\.site\.com|www\.d.site\.com|www.\.jsfiddle\.net)$') {

Without the extra $, you have essentially turned off all security for your website.

The attacker would do the following to exploit this.

  1. Create a subdomain of their website. For this example, www.site.com.evil.com would be the attackers site.
  2. Lure your logged in users to their evil web page.
  3. Send ajax requests from www.site.com.evil.com to www.site.com with credentials
  4. Because ACAC is set true, and ACAO will reflect the origin header, the AJAX will return successfully.

Please feel free to ping me if you have any questions.

@Radiergummi

This comment has been minimized.

Copy link

Radiergummi commented Apr 13, 2017

You could use nginx maps in favor of the regex:

map $http_origin $DO_CORS {

  # indicates all map values are hostnames and should be parsed as such
  hostnames;

  # default value
  default 'false';

  # all your domains
  localhost          'true';
  www.yourdomain.com 'true';
  www.yourother.com  'true';
}

This also prevents the attack detailed by @ejcx

@gansbrest

This comment has been minimized.

Copy link

gansbrest commented Apr 17, 2017

Here is my version of doing nginx access control allow origin that avoids some of the duplication.

@anchit-nishant

This comment has been minimized.

Copy link

anchit-nishant commented Jan 3, 2018

I created a new file in /etc/nginx/conf.d 'cors.conf' with the the below configuration.

Note: My use case was to enable Cors for an nginx reverse proxy which forwards the request to my flask application on docker. My front-end is hosted on AWS S3.

server {
listen 80;

    location / {

        proxy_pass            http://docker;
        proxy_http_version    1.1;
        proxy_set_header    Connection            $connection_upgrade;
        proxy_set_header    Upgrade                $http_upgrade;
        proxy_set_header    Host                $host;
        proxy_set_header    X-Real-IP            $remote_addr;
        proxy_set_header    X-Forwarded-For        $proxy_add_x_forwarded_for;


            set $cors '';
                    if ($http_origin ~ '^https?://(s3\.amazonaws\.com)') {
                            set $cors 'true';
                    }

                    if ($cors = 'true') {
                            add_header 'Access-Control-Allow-Origin' "$http_origin" always;
                            add_header 'Access-Control-Allow-Credentials' 'true' always;
                            add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
                            add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
                            # required to be able to read Authorization header in frontend
                            #add_header 'Access-Control-Expose-Headers' 'Authorization' always;
                    }

                    if ($request_method = 'OPTIONS') {
                            # Tell client that this pre-flight info is valid for 20 days
                            add_header 'Access-Control-Max-Age' 1728000;
                            add_header 'Content-Type' 'text/plain charset=UTF-8';
                            add_header 'Content-Length' 0;
                            return 204;
                    }


    }
}
@Eternity-Yarr

This comment has been minimized.

Copy link

Eternity-Yarr commented Feb 14, 2018

I really don't know why this is working for you, guys. If is broken. https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ Nginx configuration is not imperative. There is no guarantees that any other block, except for if with return will be executed in case of OPTIONS request.

@Eternity-Yarr

This comment has been minimized.

Copy link

Eternity-Yarr commented Feb 14, 2018

If you really need sane CORS functionality, it's better to use some Lua.

@danielmotaleite

This comment has been minimized.

Copy link

danielmotaleite commented Jun 6, 2018

save your soul and use the lua below!

https://github.com/detailyang/lua-resty-cors

@mmontag

This comment has been minimized.

Copy link

mmontag commented Sep 28, 2018

Please be aware that this will allow your resources to be accessed cross-origin by anybody with a domain name like http://localhost-hacker.biz or https://localhost.blackhat.org. Add a $ to that regex...

@datlife

This comment has been minimized.

Copy link

datlife commented Oct 7, 2018

My complete script that works both on my website and localhost:

  • Avoided if, mentioned in ifisevil
  • Fixed regex vulnerability, pointed out by @ejcx above.

In this script, my server is blog.mywebsite.com. It enabled CORS mywebsite.com and localhost to access requested resource.

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name blog.mywebsite.com;
    root /var/www/ghost/system/nginx-root;

    ssl_certificate /etc/letsencrypt/blog.mywebsite.com/fullchain.cer;
    ssl_certificate_key /etc/letsencrypt/blog.mywebsite.com/blog.mywebsite.com.key;
    include /etc/nginx/snippets/ssl-params.conf;

    set $cors_origin "";
    set $cors_cred   "";
    set $cors_header "";
    set $cors_method "";

    if ($http_origin ~ '^https?://(localhost|mywebsite\.com)$') {
            set $cors_origin $http_origin;
            set $cors_cred   true;
            set $cors_header $http_access_control_request_headers;
            set $cors_method $http_access_control_request_method;
    }

    add_header Access-Control-Allow-Origin      $cors_origin;
    add_header Access-Control-Allow-Credentials $cors_cred;
    add_header Access-Control-Allow-Headers     $cors_header;
    add_header Access-Control-Allow-Methods     $cors_method;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:2368;
    }

    location ~ /.well-known {
        allow all;
    }
    client_max_body_size 50m;
}
@Zulko

This comment has been minimized.

Copy link

Zulko commented Oct 26, 2018

Thanks very much guys ! this code plus @RubenHoms 's comment worked like a charm.

@control-panel

This comment has been minimized.

Copy link

control-panel commented Nov 6, 2018

Hello guys!

We have got working config only with the following trick:

`

if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
    return 444;
}
    
set $origin $http_origin;

if ($origin !~ '^https?://(subdom1|subdom2)\.yourdom\.zone$') {
    set $origin 'https://default.yourdom.zone';
}

if ($request_method = 'OPTIONS') {

    add_header 'Access-Control-Allow-Origin' "$origin" always;
    add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
    add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
    add_header 'Access-Control-Allow-Credentials' 'true' always;

    add_header Access-Control-Max-Age 1728000;
    add_header Content-Type 'text/plain charset=UTF-8';
    add_header Content-Length 0;
    return 204;
}
    
if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
    add_header Access-Control-Allow-Origin "$origin" always;
    add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
    add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
    add_header Access-Control-Allow-Credentials true always;
}

`

if block can be implemented with map
may be it can help somebody

@Jossnaz

This comment has been minimized.

Copy link

Jossnaz commented Dec 12, 2018

@Radiergummi

You could use nginx maps in favor of the regex:

map $http_origin $DO_CORS {

  # indicates all map values are hostnames and should be parsed as such
  hostnames;

  # default value
  default 'false';

  # all your domains
  localhost          'true';
  www.yourdomain.com 'true';
  www.yourother.com  'true';
}

This also prevents the attack detailed by @ejcx

can you expand a bit more in detail? e.g. how to use that map?

@aftabnaveed

This comment has been minimized.

Copy link

aftabnaveed commented Jan 8, 2019

save your soul and use the lua below!

https://github.com/detailyang/lua-resty-cors

I get this error

sudo opm install detailyang/lua-resty-cors
Package lua-resty-cors-0.2.1.5 already installed.
Error:

failed to run header_filter_by_lua*: header_filter_by_lua:2: module 'lib.resty.cors' not found:
        no field package.preload['lib.resty.cors']
        no file '/usr/local/openresty/site/lualib/lib/resty/cors.ljbc'
        no file '/usr/local/openresty/site/lualib/lib/resty/cors/init.ljbc'
        no file '/usr/local/openresty/lualib/lib/resty/cors.ljbc'
        no file '/usr/local/openresty/lualib/lib/resty/cors/init.ljbc'
        no file '/usr/local/openresty/site/lualib/lib/resty/cors.lua'
        no file '/usr/local/openresty/site/lualib/lib/resty/cors/init.lua'
        no file '/usr/local/openresty/lualib/lib/resty/cors.lua'
        no file '/usr/local/openresty/lualib/lib/resty/cors/init.lua'
        no file './lib/resty/cors.lua'
        no file '/usr/local/openresty/luajit/share/luajit-2.1.0-beta3/lib/resty/cors.lua'
        no file '/usr/local/share/lua/5.1/lib/resty/cors.lua'
        no file '/usr/local/share/lua/5.1/lib/resty/cors/init.lua'
        no file '/usr/local/openresty/luajit/share/lua/5.1/lib/resty/cors.lua'
        no file '/usr/local/openresty/luajit/share/lua/5.1/lib/resty/cors/init.lua'
        no file '/usr/local/openresty/site/lualib/lib/resty/cors.so'
        no file '/usr/local/openresty/lualib/lib/resty/cors.so'
        no file './lib/resty/cors.so'
        no file '/usr/local/lib/lua/5.1/lib/resty/cors.so'
        no file '/usr/local/openresty/luajit/lib/lua/5.1/lib/resty/cors.so'
        no file '/usr/local/lib/lua/5.1/loadall.so'
        no file '/usr/local/openresty/site/lualib/lib.so'
        no file '/usr/local/openresty/lualib/lib.so'
        no file './lib.so'
        no file '/usr/local/lib/lua/5.1/lib.so'
        no file '/usr/local/openresty/luajit/lib/lua/5.1/lib.so'
        no file '/usr/local/lib/lua/5.1/loadall.so'

@slavafomin

This comment has been minimized.

Copy link

slavafomin commented Jan 22, 2019

Thank you for the snippet and all the comments, it's very useful.

@Radiergummi I really like the idea with maps. Is it possible to use wildcard domains there or it could contain only a static list of domain names?

@Stanback Why do you use the following block in preflight requests?

add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;

Are nginx defaults not enough for this?

@slavafomin

This comment has been minimized.

Copy link

slavafomin commented Jan 22, 2019

Beware: multiple condition blocks are not going to match simultaneously!

I can't make multiple if statements to work correctly in my nginx configuration.
When the last if statement is matched for the preflight request the headers from the main if block are not added to the response.
And this is an expected behavior according to this official article: If Is Evil.

Have you actually managed to make the both condition blocks apply?

@slavafomin

This comment has been minimized.

Copy link

slavafomin commented Jan 22, 2019

Here's the working config, I've managed to implement.

And here's my question on Stack Overflow regarding this issue.

@mPanasiewicz

This comment has been minimized.

Copy link

mPanasiewicz commented Jan 30, 2019

My solution is:

map $http_origin $cors_origin_header {
    default "";
    "~(^|^http:\/\/)(localhost$|localhost:[0-9]{1,4}$)" "$http_origin";
    "~^https://test-.-dev.example.pl$" "$http_origin"; # https://test-7-dev.example.pl
    "https://test.example.com" "$http_origin";
}

map $http_origin $cors_cred {
    default "";
    "~(^|^http:\/\/)(localhost$|localhost:[0-9]{1,4}$)" "true";
    "~^https://test-.-dev.example.pl$" "true"; # https://test-7-dev.example.pl
    "https://test.example.com" "true";
}

server {
    listen 443 ssl http2;
    server_name api.example.com;

    include ssl/wildcard;

    add_header Access-Control-Allow-Origin $cors_origin_header always;
    add_header Access-Control-Allow-Credentials $cors_cred;
    add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD";
    add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept";

    if ($request_method = 'OPTIONS' ) {
      return 204 no-content;
    }

return 204 there is because this is configuration for load-balancer, and I don't want to send OPTIONS into certain host after load-balancer. If you haven't load-balancer than you can remove this line
I hope, it helps someone

@jfortier

This comment has been minimized.

Copy link

jfortier commented Mar 11, 2019

My complete script that works both on my website and localhost:

  • Avoided if, mentioned in ifisevil
  • Fixed regex vulnerability, pointed out by @ejcx above.

In this script, my server is blog.mywebsite.com. It enabled CORS mywebsite.com and localhost to access requested resource.

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name blog.mywebsite.com;
    root /var/www/ghost/system/nginx-root;

    ssl_certificate /etc/letsencrypt/blog.mywebsite.com/fullchain.cer;
    ssl_certificate_key /etc/letsencrypt/blog.mywebsite.com/blog.mywebsite.com.key;
    include /etc/nginx/snippets/ssl-params.conf;

    set $cors_origin "";
    set $cors_cred   "";
    set $cors_header "";
    set $cors_method "";

    if ($http_origin ~ '^https?://(localhost|mywebsite\.com)$') {
            set $cors_origin $http_origin;
            set $cors_cred   true;
            set $cors_header $http_access_control_request_headers;
            set $cors_method $http_access_control_request_method;
    }

    add_header Access-Control-Allow-Origin      $cors_origin;
    add_header Access-Control-Allow-Credentials $cors_cred;
    add_header Access-Control-Allow-Headers     $cors_header;
    add_header Access-Control-Allow-Methods     $cors_method;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:2368;
    }

    location ~ /.well-known {
        allow all;
    }
    client_max_body_size 50m;
}

Your solution more or less worked for me using nginx version 1.12.2 Not sure which version of nginx you were using, but I couldn't run add_headers in my server block, but could in my location block which worked fine. Thanks.

@blthayer

This comment has been minimized.

Copy link

blthayer commented Jun 3, 2019

@mPanasiewicz's solution worked perfectly for me (so far). Thank you!

@rafi

This comment has been minimized.

Copy link

rafi commented Jul 24, 2019

Thanks @mPanasiewicz - your solution is perfect. We ran into many issues with if, it's really evil.

@archy-bold

This comment has been minimized.

Copy link

archy-bold commented Sep 11, 2019

Another 👍 for @mPanasiewicz

@iki

This comment has been minimized.

Copy link

iki commented Sep 15, 2019

Thanks for inspiration. Here's what we use with added exposed headers: https://gist.github.com/iki/1247cd182acd1aa3ee4876acb7263def

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.