Fork me on GitHub

CORS plugin

The CORS plugin manages CORS related headers for you given some configuration such as allowed hosts.

Getting started

You can enable the cors plugin through the config.plugins part of the config:

Javalin.create(config -> {
    config.plugins.enableCors(cors -> {
        cors.add(it -> {
            it.allowHost("example.com", "javalin.io");
        });
    });
});

This example would allow the origins https://example.com and https://javalin.io.

The default scheme can be changed by setting it: defaultScheme = "http", but you can also just specify it with your allowHost() call: allowHost("http://example.com")

Allowing any host

Allowing everybody by using can be done with anyHost(). anyHost() adds the special star origin *, allowing any host from a CORS standpoint. Do note that you can still deny via other means such as an access manager, but it is recommended to just allow the hosts that you need.

Javalin.create(config -> {
    config.plugins.enableCors(cors -> {
        cors.add(it -> {
            it.anyHost();
        });
    });
});

Similar to anyHost() you can set reflectClientOrigin = true to reflect back the clients origin instead of the generic star. This has the same implications as anyHost(), so it should be considered carefully.

Javalin.create(config -> {
    config.plugins.enableCors(cors -> {
        cors.add(it -> {
            it.reflectClientOrigin = true;
        });
    });
});

Subdomain wildcard support

Special support for subdomains is added by allowing a single star as a wildcard. allowHost("*.example.com") would allow any subdomain of example.com to access your resources from a CORS standpoint.

Javalin.create(config -> {
    config.plugins.enableCors(cors -> {
        cors.add(it -> {
            it.allowHost("*.example.com");
        });
    });
});

Multiple CORS configurations

It is also possible to have different cors configurations for different paths. Take a look at the following example:

Javalin.create(config -> {
    config.plugins.enableCors(cors -> {
        cors.add(it -> {
            it.path = "images*"
            it.allowHost("https://images.local");
        });
        cors.add(it -> {
            it.path = "videos*"
            it.allowHost("https://videos.local");
        });
        cors.add(it -> {
            it.path = "music*"
            it.allowHost("https://music.local");
        });
    });
});

Everything listed under images would be only accessible by the host images.local and everything under videos only to the host videos.local.

allowCredentials and exposeHeader

For those who need it you can also set the ACCESS_CONTROL_ALLOW_CREDENTIALS header by setting allowCredentials = true and expose headers to the website’s JavaScript by using e.g. exposeHeader("x-server") to expose the x-server header.

Javalin.create(config -> {
    config.plugins.enableCors(cors -> {
        cors.add(it -> {
            it.allowHost("*.example.com");
            it.allowCredentials = true;
            it.exposeHeader("x-server");
        });
    });
});

Like Javalin?
Star us 😊

×