Skip to content

Instantly share code, notes, and snippets.

@ryanburnette

ryanburnette/Caddyfile

Last active February 5, 2026 22:49
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save ryanburnette/d13575c9ced201e73f8169d3a793c1a3 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save ryanburnette/d13575c9ced201e73f8169d3a793c1a3 to your computer and use it in GitHub Desktop.
Download ZIP
Caddy v2.1+ CORS whitelist
Raw
Caddyfile
(cors) {
@cors_preflight{args.0} method OPTIONS
@cors{args.0} header Origin {args.0}
handle @cors_preflight{args.0} {
header {
Access-Control-Allow-Origin "{args.0}"
Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
Access-Control-Allow-Headers *
Access-Control-Max-Age "3600"
defer
}
respond "" 204
}
handle @cors{args.0} {
header {
Access-Control-Allow-Origin "{args.0}"
Access-Control-Expose-Headers *
defer
}
}
}
myawesomewebsite.com {
root * /srv/public/
file_server
import cors https://member.myawesomewebsite.com
import cors https://customer.myawesomewebsite.com
}
@DurandA
Copy link

DurandA commented Feb 5, 2026

@DurandA yeap, this code can enable CORS for any request's domain As I see you try to "limit" domains, this code can't do this, sorry

I rewrote my issue and proposed a fix above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment