CORS
Cross-Origin Resource Sharing (CORS) settings control which external domains can make requests to Releval's API. By default, all origins are allowed.
Settings
| Variable | Default | Description |
|---|---|---|
Cors__AllowedOrigins | * | Comma-separated list of allowed origins, or * for any |
Cors__AllowedMethods | * | Comma-separated HTTP methods, or * for any |
Cors__AllowedHeaders | * | Comma-separated header names, or * for any |
Example
To restrict API access to specific domains:
- Environment Variable
- appsettings.json
environment:
- Cors__AllowedOrigins=https://app.example.com,https://staging.example.com
- Cors__AllowedMethods=GET,POST,PUT,DELETE
- Cors__AllowedHeaders=content-type,accept,authorization
{
"Cors": {
"AllowedOrigins": "https://app.example.com,https://staging.example.com",
"AllowedMethods": "GET,POST,PUT,DELETE",
"AllowedHeaders": "content-type,accept,authorization"
}
}
Note
CORS only affects browser-based requests. Server-to-server API calls (e.g. from App Clients) are not subject to CORS restrictions.