How to configure CORS in Quarkus applications

Here’s a step-by-step tutorial on how to configure Cross-Origin Resource Sharing (CORS) in Quarkus applications with just a few configuration tweaks.

Cross-Origin Resource Sharing (CORS) is a security feature implemented by web browsers to control how resources on a web page can be requested from another domain outside the domain from which the first resource was served. This mechanism is essential for enabling secure cross-origin requests and data transfers between browsers and servers.

You can find more details about CORS in this article: How to configure CORS on WildFly

Step 1: Enable CORS in application.properties

First, you need to enable the CORS filter in your Quarkus application. This is done by adding the following line to your src/main/resources/application.properties file:

quarkus.http.cors=true

Step 2: Configure Allowed Origins

Specify which origins are allowed to make requests to your application. You can do this by setting the quarkus.http.cors.origins property. For example, to allow requests from http://example.com and http://anotherdomain.com, add:

quarkus.http.cors.origins=http://example.com,http://anotherdomain.com

Step 3: Configure Allowed Methods

Define which HTTP methods are allowed for CORS requests. This can be done using the quarkus.http.cors.methods property. For example, to allow GET, POST, and PUT methods:

quarkus.http.cors.methods=GET,POST,PUT

Step 4: Configure Allowed Headers

Specify which headers are allowed in CORS requests using the quarkus.http.cors.headers property. For example, to allow Content-Type and Authorization headers:

quarkus.http.cors.headers=Content-Type,Authorization

Step 5: Configure Exposed Headers

If you need to expose certain headers to the client, use the quarkus.http.cors.exposed-headers property. For example, to expose the X-Custom-Header:

quarkus.http.cors.exposed-headers=X-Custom-Header

Step 6: Configure Credentials

If your application needs to handle credentials in CORS requests, set the quarkus.http.cors.access-control-allow-credentials property to true:

quarkus.http.cors.access-control-allow-credentials=true

Step 7: Configure Max Age

Define how long the results of a preflight request can be cached using the quarkus.http.cors.access-control-max-age property. For example, to cache the results for 24 hours:

quarkus.http.cors.access-control-max-age=86400

Example Configuration

Here’s an example of a complete application.properties file with CORS configuration:

quarkus.http.cors=true
quarkus.http.cors.origins=http://example.com,http://anotherdomain.com
quarkus.http.cors.methods=GET,POST,PUT
quarkus.http.cors.headers=Content-Type,Authorization
quarkus.http.cors.exposed-headers=X-Custom-Header
quarkus.http.cors.access-control-allow-credentials=true
quarkus.http.cors.access-control-max-age=86400

Testing Your Configuration

To test your CORS configuration, you can use tools like Postman or a simple HTML page with JavaScript to make requests to your Quarkus application from different origins.