Configuring Glue for cross-origin requests

Edit on GitHub

By default, Glue REST API is configured to run using the same-origin policy, which still remains the recommended default security level for web applications. However, taking into account that requests to Glue REST API can originate from touchpoints located across multiple domains, we made it possible to enable Cross-Origin Resource Sharing (CORS) in Glue. When CORS is enabled, Glue REST API can accept requests from a list of allowed origins or from any origin, depending on configuration.

To enable cross-origin resource sharing in Glue:


To enable CORS support in Glue, follow the Installation Guide.


CORS is configured in Spryker Glue via environment variables. There are 2 levels where CORS can be configured: global and per-domain. On the global level, CORS is configured for the whole Glue Application. On the per-domain level, you can configure CORS behavior for each domain configured in Glue Application separately. For example, you can configure different lists of allowed origins for the and domains.

Per-domain configuration always prevails over the global one. For this reason, the recommended practice is to configure CORS behavior for each domain separately.

Configuration can be found in the following files:

  • Globalconfig/Shared/config_default.php;
  • Per-domainconfig/Shared/config_default_DE.php, where DE is the respective domain.

To configure CORS behavior:

  1. Open the necessary configuration file depending on which CORS configuration you want to set up.

  2. Modify the value of the GlueApplicationConstants::GLUE_APPLICATION_CORS_ALLOW_ORIGIN variable. You can set its value as follows:

    • <null> - CORS is disabled. Example:
    $config[GlueApplicationConstants::GLUE_APPLICATION_CORS_ALLOW_ORIGIN] = '';
    • * - allow CORS requests from any domain. Example:
    $config[GlueApplicationConstants::GLUE_APPLICATION_CORS_ALLOW_ORIGIN] = '*';
    • - allow CORS requests only from the specified origin. Example:
    $config[GlueApplicationConstants::GLUE_APPLICATION_CORS_ALLOW_ORIGIN] = '';
  3. Save the file.


To verify that the configuration has been completed successfully, make an OPTIONS pre-flight request to any valid Glue resource with the correct Origin header, for example,, and make sure that:

  • The Access-Control-Allow-Origin header is present and is the same as set in the configuration;
  • The Access-Control-Allow-Methods header is present and contains all available REST methods.

You can also make one of the available POST, PATCH, or DELETE request (depending on the resource used) and verify that response headers are the same.