@@ -65,19 +65,24 @@ enabled = true
6565allowed_methods = [" GET" , " POST" , " PUT" , " DELETE" ]
6666
6767# Defines which origins are permitted to make cross-origin requests.
68- # An asterisk "*" allows all origins. Specific domains can be listed to restrict access.
68+ # An asterisk "*" as the first entry allows all origins (any entries after it
69+ # are ignored); "*" in any other position fails the config. Specific domains
70+ # can be listed to restrict access.
6971allowed_origins = [" *" ]
7072
7173# Lists allowed headers that can be used in CORS requests.
7274# For example, ["content-type"] permits only the content-type header.
7375allowed_headers = [" content-type" , " authorization" ]
7476
7577# Headers that browsers are allowed to access in CORS responses.
76- # An empty array means no additional headers are exposed to browsers.
77- exposed_headers = [" " ]
78+ # `x-iggy-view` carries the current VSR view number; exposing it lets browser
79+ # clients read it on cross-origin responses.
80+ exposed_headers = [" x-iggy-view" ]
7881
7982# Determines if credentials like cookies or HTTP auth can be included in CORS requests.
80- # `true` allows credentials to be included, useful for authenticated sessions.
83+ # `true` allows credentials to be included, useful for authenticated sessions;
84+ # it requires explicit (non-wildcard) allowed_origins, allowed_headers, and
85+ # exposed_headers.
8186# `false` prevents credentials, enhancing privacy and security.
8287allow_credentials = false
8388
0 commit comments