Skip to main content

CORS Configuration

Your decoupled site may require configuration to allow cross-origin resource sharing. By default, sites created using the decouled-drupal project opt-in to Drupal's CORS support with a very permissive configuration for local development:

# Configure Cross-Site HTTP requests (CORS).
# Read
# for more information about the topic in general.
# Note: By default the configuration is disabled.
enabled: true
# Specify allowed headers, like 'x-allowed-header'.
# Specify allowed request methods, specify ['*'] to allow all possible ones.
allowedMethods: ['*']
# Configure requests allowed from specific origins.
allowedOrigins: ['*']
# Sets the Access-Control-Expose-Headers header.
exposedHeaders: true
# Sets the Access-Control-Max-Age header.
maxAge: true
# Sets the Access-Control-Allow-Credentials header.
supportsCredentials: true

Since the appropriate CORS configuration in production and pre-production environments may vary on a project by project basis, the above configuration is only loaded for local development. We recommend configuring production and pre-production service configurations to set the appropriate CORS configuration for your Pantheon environments if necessary.