CORS Header Configuration documentation for the dotCMS Content Management System

You can specify CORS headers to include in REST responses. These headers can be set as global defaults and can be overridden on an endpoint by endpoint basis. The endpoint-specific headers completely override the default headers; each REST resource will send the resource-specific headers (and ignore the default headers) if they have been specified, but will fall back to the default CORS headers if no resource-specific headers are configured.

Setting Global CORS Headers

To set a global default CORS header, you must add a new property to the dotmarketing-config.properties file in the following form:

api.cors.default.${header-name}=${headerValue}

For example, if you want to set the default header Access-Control-Allow-Origin : *, add the following property to the dotmarketing-config.properties file:

api.cors.default.access-control-allow-origin=*

Default CORS Headers

The following CORS headers are set by default in the dotmarketing-config.properties file:

api.cors.default.access-control-allow-origin=*
api.cors.default.access-control-allow-headers=Authorization, Accept, Cookies, Content-Type, Content-Length
api.cors.default.access-control-allow-methods=GET, HEAD, POST, PUT, DELETE, OPTIONS

Overriding Headers for Specific Resources

You can also override CORS headers per resource by replacing .default. in the property name Java class name of the resource (in lower case).

For example, the/api/content REST calls are implemented in the ContentResource.class. Adding the following properties to the dotmarketing-config.properties file will set specific CORS headers for this resource:

api.cors.contentresource.access-control-allow-origin=https://demo.dotcms.com
api.cors.contentresource.access-control-allow-headers=Authorization, Accept, Cookies, Content-Type, Content-Length
api.cors.contentresource.access-control-allow-methods=GET, HEAD, POST, PUT, DELETE, OPTIONS