Here’s a step-by-step tutorial on how to configure Cross-Origin Resource Sharing (CORS) in Quarkus applications with just a few configuration tweaks.
Cross-Origin Resource Sharing (CORS) is a security feature implemented by web browsers to control how resources on a web page can be requested from another domain outside the domain from which the first resource was served. This mechanism is essential for enabling secure cross-origin requests and data transfers between browsers and servers.
You can find more details about CORS in this article: How to configure CORS on WildFly
Step 1: Enable CORS in application.properties
First, you need to enable the CORS filter in your Quarkus application. This is done by adding the following line to your src/main/resources/application.properties
file:
quarkus.http.cors=true
Step 2: Configure Allowed Origins
Specify which origins are allowed to make requests to your application. You can do this by setting the quarkus.http.cors.origins
property. For example, to allow requests from http://example.com
and http://anotherdomain.com
, add:
quarkus.http.cors.origins=http://example.com,http://anotherdomain.com
Step 3: Configure Allowed Methods
Define which HTTP methods are allowed for CORS requests. This can be done using the quarkus.http.cors.methods
property. For example, to allow GET, POST, and PUT methods:
quarkus.http.cors.methods=GET,POST,PUT
Step 4: Configure Allowed Headers
Specify which headers are allowed in CORS requests using the quarkus.http.cors.headers
property. For example, to allow Content-Type
and Authorization
headers:
quarkus.http.cors.headers=Content-Type,Authorization
Step 5: Configure Exposed Headers
If you need to expose certain headers to the client, use the quarkus.http.cors.exposed-headers
property. For example, to expose the X-Custom-Header
:
quarkus.http.cors.exposed-headers=X-Custom-Header
Step 6: Configure Credentials
If your application needs to handle credentials in CORS requests, set the quarkus.http.cors.access-control-allow-credentials
property to true
:
quarkus.http.cors.access-control-allow-credentials=true
Step 7: Configure Max Age
Define how long the results of a preflight request can be cached using the quarkus.http.cors.access-control-max-age
property. For example, to cache the results for 24 hours:
quarkus.http.cors.access-control-max-age=86400
Example Configuration
Here’s an example of a complete application.properties
file with CORS configuration:
quarkus.http.cors=true quarkus.http.cors.origins=http://example.com,http://anotherdomain.com quarkus.http.cors.methods=GET,POST,PUT quarkus.http.cors.headers=Content-Type,Authorization quarkus.http.cors.exposed-headers=X-Custom-Header quarkus.http.cors.access-control-allow-credentials=true quarkus.http.cors.access-control-max-age=86400
Testing Your Configuration
To test your CORS configuration, you can use tools like Postman or a simple HTML page with JavaScript to make requests to your Quarkus application from different origins.