Skip to main content

CORS

Cross-Origin Resource Sharing (CORS) settings control which external domains can make browser requests to Releval's API. By default Releval allows same-origin requests only: the bundled web UI is served from the same origin as the API, so no cross-origin access is needed out of the box. Set Cors__AllowedOrigins to allow cross-origin browser clients; the method and header allow-lists then constrain those requests.

Settings

VariableDefaultDescription
Cors__AllowedOrigins(empty)Comma-separated list of allowed origins; * for any; empty means same-origin only
Cors__AllowedMethodsGET,POSTComma-separated HTTP methods, or * for any
Cors__AllowedHeaderscontent-type,acceptComma-separated header names, or * for any

Example

To restrict API access to specific domains:

environment:
- Cors__AllowedOrigins=https://app.example.com,https://staging.example.com
- Cors__AllowedMethods=GET,POST,PUT,DELETE
- Cors__AllowedHeaders=content-type,accept,authorization
Note

CORS only affects browser-based requests. Server-to-server API calls (e.g. from App Clients) are not subject to CORS restrictions.

Listing specific origins (rather than *) also permits credentialed cross-origin requests from them.