Last active
February 5, 2026 22:49
-
-
Save ryanburnette/d13575c9ced201e73f8169d3a793c1a3 to your computer and use it in GitHub Desktop.
Caddy v2.1+ CORS whitelist
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (cors) { | |
| @cors_preflight{args.0} method OPTIONS | |
| @cors{args.0} header Origin {args.0} | |
| handle @cors_preflight{args.0} { | |
| header { | |
| Access-Control-Allow-Origin "{args.0}" | |
| Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" | |
| Access-Control-Allow-Headers * | |
| Access-Control-Max-Age "3600" | |
| defer | |
| } | |
| respond "" 204 | |
| } | |
| handle @cors{args.0} { | |
| header { | |
| Access-Control-Allow-Origin "{args.0}" | |
| Access-Control-Expose-Headers * | |
| defer | |
| } | |
| } | |
| } | |
| myawesomewebsite.com { | |
| root * /srv/public/ | |
| file_server | |
| import cors https://member.myawesomewebsite.com | |
| import cors https://customer.myawesomewebsite.com | |
| } |
There is a small mistake in this configuration that prevents the OPTIONS to match the correct origin if there are multiple origins in the configuration as in the example:
myawesomewebsite.com {
...
import cors https://member.myawesomewebsite.com
import cors https://customer.myawesomewebsite.com
}
This is fixed by also matching the preflight with the origin:
- @cors_preflight{args.0} method OPTIONS
+ @cors_preflight{args.0} {
+ method OPTIONS
+ header Origin {args.0}
+ }
@DurandA yeap, this code can enable CORS for any request's domain As I see you try to "limit" domains, this code can't do this, sorry
I rewrote my issue and proposed a fix above.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@DurandA yeap, this code can enable CORS for any request's domain
As I see you try to "limit" domains, this code can't do this, sorry