Configuring Glue for cross-origin requests
Edit on GitHubBy default, Glue REST API is configured to run using the same-origin policy, which remains the recommended default security level for web applications. However, taking into account that requests to Glue REST API can originate from touchpoints located across multiple domains, we made it possible to enable Cross-Origin Resource Sharing (CORS) in Glue. When CORS is enabled, Glue REST API can accept requests from a list of allowed origins or any origin, depending on the configuration.
To enable CORS support in Glue, follow the Installation Guide.
Configure CORS behavior
CORS is configured in Spryker Glue using environment variables. There are 2 levels where CORS can be configured: global and per-domain. On the global level, CORS is configured for the whole Glue Application. On the per-domain level, you can configure CORS behavior for each domain configured in Glue Application separately. For example, you can configure different lists of allowed origins for the http://glue.de.mysprykershop.com
and http://glue.at.mysprykershop.com
domains.
Per-domain configuration always prevails over the global one. For this reason, the recommended practice is to configure CORS behavior for each domain separately.
Configuration can be found in the following files:
- Global—
config/Shared/config_default.php
. - Per-domain—
config/Shared/config_default_DE.php
, where DE is the respective domain.
To configure CORS behavior, follow these steps:
-
Open the necessary configuration file depending on which CORS configuration you want to set up.
-
Modify the value of the
GlueApplicationConstants::GLUE_APPLICATION_CORS_ALLOW_ORIGIN
variable. You can set its value as follows:<null>
: CORS is disabled. Example:
$config[GlueApplicationConstants::GLUE_APPLICATION_CORS_ALLOW_ORIGIN] = '';
*
: allow CORS requests from any domain. Example:
$config[GlueApplicationConstants::GLUE_APPLICATION_CORS_ALLOW_ORIGIN] = '*';
http://www.example1.com
: allow CORS requests only from the specified origin. Example:
$config[GlueApplicationConstants::GLUE_APPLICATION_CORS_ALLOW_ORIGIN] = 'http://www.example1.com';
-
Save the file.
Verify the configuration
To verify that the configuration has been completed successfully, make an OPTIONS pre-flight request to any valid Glue resource with the correct Origin
header, for example, http://glue.example.com/
, and make sure the following:
- The
Access-Control-Allow-Origin
header is present and is the same as set in the configuration. - The
Access-Control-Allow-Methods
header is present and contains all available REST methods.
You can also make one of the available POST
, PATCH
, or DELETE
requests (depending on the resource used) and verify that response headers are the same.
Thank you!
For submitting the form