CORS
Cross-Origin Resource Sharing (CORS) settings control which external domains can make browser requests to Releval's API.
By default Releval allows same-origin requests only: the bundled web UI is served from the same origin as the API, so no cross-origin access is needed out of the box.
Set Cors__AllowedOrigins to allow cross-origin browser clients; the method and header allow-lists then constrain those requests.
Settings
| Variable | Default | Description |
|---|---|---|
Cors__AllowedOrigins | (empty) | Comma-separated list of allowed origins; * for any; empty means same-origin only |
Cors__AllowedMethods | GET,POST | Comma-separated HTTP methods, or * for any |
Cors__AllowedHeaders | content-type,accept | Comma-separated header names, or * for any |
Example
To restrict API access to specific domains:
- Environment Variable
- appsettings.json
environment:
- Cors__AllowedOrigins=https://app.example.com,https://staging.example.com
- Cors__AllowedMethods=GET,POST,PUT,DELETE
- Cors__AllowedHeaders=content-type,accept,authorization
{
"Cors": {
"AllowedOrigins": "https://app.example.com,https://staging.example.com",
"AllowedMethods": "GET,POST,PUT,DELETE",
"AllowedHeaders": "content-type,accept,authorization"
}
}
Note
CORS only affects browser-based requests. Server-to-server API calls (e.g. from App Clients) are not subject to CORS restrictions.
Listing specific origins (rather than *) also permits credentialed cross-origin requests from them.