Notes
In some cases, you would like to disable the cross origin requests restrictions because it is only allowed for same origin by default.
In my case, I deal with several APIs with differents origins.
Code
1) GET/OPTIONS endpoint
location / { # Allow some origins #if ($http_origin ~* (https?:\/\/(localhost:8000|myfirstorigin:8000))) { # set $cors "1"; #} # Allow all origins set $cors "1"; # Append CORS headers to any request from allowed CORS domain, except OPTIONS if ($cors = "1") { add_header Access-Control-Allow-Credentials true; add_header Access-Control-Allow-Origin $http_origin; } # OPTIONS (pre-flight) request from allowed CORS domain. return response directly if ($request_method = 'OPTIONS') { add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS, PUT, DELETE'; add_header Access-Control-Allow-Credentials true; add_header Access-Control-Allow-Headers 'Origin,Content-Type,Accept'; add_header Content-Length 0; add_header Content-Type text/plain; return 204; } proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_pass https://mysecondorigin/api/; proxy_http_version 1.1; proxy_read_timeout 600s; } 2) POST endpoint
add_header Access-Control-Allow-Origin $http_origin; 
Top comments (2)
Disabling security controls should be done with great care, I highly recommend anyone who considers implementing this configuration to read this first: appsecmonkey.com/blog/cors
Well explained