2017-06-17 05:26:25 +00:00
---
2020-01-18 00:18:09 +00:00
layout: api
page_title: /sys/config/cors - HTTP API
description: >-
The '/sys/config/cors' endpoint configures how the Vault server responds to
cross-origin requests.
2017-06-17 05:26:25 +00:00
---
# `/sys/config/cors`
The `/sys/config/cors` endpoint is used to configure CORS settings.
- **`sudo` required** – All CORS endpoints require `sudo` capability in
addition to any path-specific capabilities.
## Read CORS Settings
This endpoint returns the current CORS configuration.
2020-01-18 00:18:09 +00:00
| Method | Path |
| :----- | :----------------- |
| `GET` | `/sys/config/cors` |
2017-06-17 05:26:25 +00:00
### Sample Request
2020-05-21 17:18:17 +00:00
```shell-session
2017-06-17 05:26:25 +00:00
$ curl \
--header "X-Vault-Token: ..." \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/sys/config/cors
2017-06-17 05:26:25 +00:00
```
### Sample Response
```json
{
"enabled": true,
2017-08-07 14:03:30 +00:00
"allowed_origins": ["http://www.example.com"],
"allowed_headers": [
"Content-Type",
"X-Requested-With",
"X-Vault-AWS-IAM-Server-ID",
"X-Vault-No-Request-Forwarding",
"X-Vault-Token",
2018-10-17 14:38:15 +00:00
"Authorization",
2017-08-07 14:03:30 +00:00
"X-Vault-Wrap-Format",
2020-01-18 00:18:09 +00:00
"X-Vault-Wrap-TTL"
2017-08-07 14:03:30 +00:00
]
2017-06-17 05:26:25 +00:00
}
```
## Configure CORS Settings
This endpoint allows configuring the origins that are permitted to make
2017-08-07 14:03:30 +00:00
cross-origin requests, as well as headers that are allowed on cross-origin requests.
2017-06-17 05:26:25 +00:00
2020-01-18 00:18:09 +00:00
| Method | Path |
| :----- | :----------------- |
| `PUT` | `/sys/config/cors` |
2017-06-17 05:26:25 +00:00
### Parameters
2017-08-07 14:03:30 +00:00
- `allowed_origins` `(string or string array: <required>)` – A wildcard (`*`), comma-delimited string, or array of strings specifying the origins that are permitted to make cross-origin requests.
- `allowed_headers` `(string or string array: "" or [])` – A comma-delimited string or array of strings specifying headers that are permitted to be on cross-origin requests. Headers set via this parameter will be appended to the list of headers that Vault allows by default.
2017-06-17 05:26:25 +00:00
### Sample Payload
```json
{
2017-08-07 14:03:30 +00:00
"allowed_origins": "*",
"allowed_headers": "X-Custom-Header"
2017-06-17 05:26:25 +00:00
}
```
### Sample Request
2020-05-21 17:18:17 +00:00
```shell-session
2017-06-17 05:26:25 +00:00
$ curl \
--header "X-Vault-Token: ..." \
--request PUT \
--data @payload.json \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/sys/config/cors
2017-06-17 05:26:25 +00:00
```
## Delete CORS Settings
This endpoint removes any CORS configuration.
2020-01-18 00:18:09 +00:00
| Method | Path |
| :------- | :----------------- |
2019-03-22 16:15:37 +00:00
| `DELETE` | `/sys/config/cors` |
2017-06-17 05:26:25 +00:00
### Sample Request
2020-05-21 17:18:17 +00:00
```shell-session
2017-06-17 05:26:25 +00:00
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/sys/config/cors
2017-06-17 05:26:25 +00:00
```