Skip to main content

cors_layer

Function cors_layer 

Source
pub fn cors_layer(cfg: &CorsConfig) -> CorsLayer
Expand description

Build the CORS layer for the gateway router.

  • Empty allowlist (cfg.allowed_origins.is_empty()) → returns CorsLayer::new(), which sets no Access-Control-Allow-Origin header and therefore rejects every cross-origin request. This is the safe default for fresh installs — operators opt in by setting TENSOR_WASM_API_CORS_ALLOWED_ORIGINS.
  • Non-empty allowlist → returns a layer that admits exactly those origins (parsed back into HeaderValues; unparseable entries are silently dropped — they were already rejected at startup by the bearer-auth allowlist parser’s stricter sibling and would never match a real browser Origin header anyway).

The allowed methods (GET, POST, DELETE) and headers (Authorization, Content-Type, X-TensorWasm-Tenant, Traceparent) match the API’s wire surface — see API.md.