pub struct CorsCfg {
pub enabled: bool,
pub allow_origins: Vec<String>,
pub allow_methods: Vec<String>,
pub allow_headers: Vec<String>,
pub expose_headers: Vec<String>,
pub allow_credentials: bool,
pub max_age: String,
}Expand description
Cross-Origin Resource Sharing policy. A drop-in front door commonly sits in front of an app
whose browser frontend is served from a different origin (a separate static host, a
preview URL, localhost:5173 in dev); without CORS those fetch calls are blocked by the
browser. When enabled, EdgeGuard answers preflight OPTIONS requests itself (before auth —
preflights carry no credentials) and adds the matching Access-Control-* headers to actual
responses. Off by default: opening cross-origin access is a deliberate choice. Compiled into
a crate::cors::CorsPolicy.
Fields§
§enabled: bool§allow_origins: Vec<String>Allowed request origins, matched exactly (scheme + host + port), e.g.
["https://app.example.com"]. The single entry ["*"] allows any origin — but a
wildcard cannot be combined with allow_credentials = true (the Fetch spec forbids it),
so that combination is rejected at startup.
allow_methods: Vec<String>Methods advertised in the preflight Access-Control-Allow-Methods. Empty = a sensible
default set (GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD).
allow_headers: Vec<String>Request headers advertised in Access-Control-Allow-Headers. Empty = reflect whatever the
browser asks for in Access-Control-Request-Headers (the common, permissive default).
expose_headers: Vec<String>Response headers the browser is allowed to read, advertised in
Access-Control-Expose-Headers. Empty = none beyond the CORS-safelisted set.
allow_credentials: boolSend Access-Control-Allow-Credentials: true so the browser may send cookies / HTTP auth.
Requires explicit allow_origins (no "*").
max_age: StringHow long a browser may cache the preflight result, e.g. "600s", "1h". "0" omits the
Access-Control-Max-Age header (the browser uses its own short default).